Other issues in this category (98)
An anti-virus as a formality
Thursday, August 20, 2020
Here is a typical technical support request:
We discovered that all of our databases had been encrypted and that multiple copies of a text document containing a ransom demand were in numerous locations on the disks. Then we scanned the system with Dr Web CureIt!, and the virus was removed.
This request was submitted by a Doctor Web customer. Our engineers examined the incident thoroughly, and it turned out that… no malware was involved.
An attacker logged in via RDP and ran an encryption script that launched the openssl utility. Then the intruder specified the password manually.
That's how the stars all aligned:
- There were readily available operating system features for the attacker to use.
- The option to log in remotely was available.
- And there was a weak password.
A brute-force attack was mounted; the intruder logged into the system remotely and launched an application that was already available on the computer.
Moreover, it is quite possible that the attacker browsed through the local network before encrypting the files.
No traces of encryption ransomware were discovered on the PC. Perhaps it was only used as an entry point to penetrate your network.
We often express our frustration with users who purchase an anti-virus just because they are supposed to, neglect to install it, and then blame it for all their problems.
So, the user's system was never infected, but they didn't know it at first.
- The installed Dr.Web anti-virus didn't detect the trojan (perhaps, the attacker had disabled it).
- In fact, Dr.Web was only installed on the server after the files had been encrypted. No anti-virus logs from an earlier date were discovered (that's why there was no information about how the encryption ransomware was launched).
And what’s saddest of all is that, in theory, the system administrator had been preparing for just such situations. Here is what he wrote next:
Can you issue your recommendations as a formal letter on Doctor Web letterhead? I need something I can show to the management so that they stop objecting when I ask them to use strong passwords, set up VPN tunnels, and adopt other security measures.
It appears that the managers had expressed their irritation more than once. What's all that security fuss about?#anti-virus #hacking #extortion #corporate_security #responsibility #signs_of_infection
The Anti-virus Times recommends
Anti-viruses remove malware. This is our forte. It is infection incidents that we advise users about. But once an incident has been examined, what happens next? The user receives our recommendations on how the threat should be removed and deletes the malware… But does this solve the problem?
If an attack involving encryption ransomware is mounted on a corporate infrastructure, many people would assume that the threat actors would install malware and then vanish instantly to avoid detection. But, in fact, criminals may not be so quick to abandon the compromised hosts.
That sounds entirely reasonable. Even if you are fortunate enough to get hold of a decryption utility, it doesn't make your system immune to future attacks and won't prevent criminals from using the same intrusion path once again. We have witnessed that quite frequently.
Deleting malware is not enough. You also need to determine how it was able to get into the system and plug that security loophole. Otherwise it will happen again.