In recent months, new ransomware has been discovered called Nokoyawa, which has become a considerable threat for businesses worldwide. Nokoyawa targets Windows operating systems and propagates through the network via remote execution protocols, which enables the ransomware to impact a large number of systems with minimal exposure.
Nokoyawa encrypts files on infected systems and appends filenames with “.nokoyawa” extension. It then creates a ransom note named “HOW_TO_RECOVER_YOUR_FILES.html” in all encrypted directories, with instructions on how to pay the ransom amount to get the decryption key. The ransom note also serves as proof of the successful encryption of files.
Nokoyawa has multiple communication channels with the command and control infrastructure. The malware sends information about the infected system to the remote server, receives instructions from the server, and sends back the necessary logs and user credentials back to the server. In this way, the ransomware makes it almost impossible to track down the attacker’s location.
To identify the presence of Nokoyawa ransomware, we have observed some indicators of compromise (IOCs) in the infected systems. The IOCs are as follows:
- Network traffic to IP 22.214.171.124 on port 443
- Network traffic to IP 126.96.36.199 on port 80
- IOCs in PowerShell command-lines such as Base64-encoded strings, file paths, processes, and registry keys
Organizations can mitigate the risks of Nokoyawa by implementing proper security measures such as data backup and recovery systems, file and folder permission policies, email filters, and antivirus programs. Additionally, keeping systems and software up to date by applying security patches can also help to prevent the spread of Nokoyawa ransomware.
In conclusion, Nokoyawa ransomware is a significant threat to businesses and organizations. Recognizing the IOCs and applying preventive measures can help organizations safeguard against this malicious software. Maintaining updated security standards and being vigilant about suspicious network activity are essential components of a proactive security strategy.
In the face of increasing ransomware attacks, it has become essential to understand the necessary steps to respond to such threats effectively. If you suspect ransomware on your system, it’s imperative to take prompt action and follow the appropriate response steps to minimize the impact and recover data. Firstly, it’s crucial to disconnect the infected system from the internet to prevent further propagation of the ransomware throughout the network. Next, you must identify the type of ransomware via its extension or ransom note left on the system. It’s important to gather as much information as possible about the ransomware to determine the appropriate response.
If adequate backups of the affected data are available, it’s essential to restore them immediately. Ensure that you verify their integrity and perform a scan for any remaining traces of the ransomware. If backups aren’t available, consult with IT security professionals for possible decryption tools or approaches. However, using decryption tools can be risky and may result in additional system damage, so it should only be attempted under expert guidance.
If ransom payment is considered, it is strongly advised to consult law enforcement and IT security experts before proceeding. Ransom payment may not guarantee the safe recovery of data and can incentivize further ransomware attacks. After recovery, it’s essential to assess and improve system security to prevent future ransomware threats. Regularly updating software, implementing firewalls and antivirus programs, and educating employees on best cybersecurity practices can significantly reduce the risk of ransomware attacks.
To sum it up, responding to ransomware requires a quick response, identifying the ransomware type, restoring backups, consulting IT security professionals for decryption, considering legal and expert advice before making ransom payment, and implementing improved system security measures. Taking these steps can ensure an effective response to ransomware attacks and protect data from future threats.
Well not really, but I’m going to write a series of posts that will all tie together, which can be a very useful tool for anyone interested in having a security home lab, or even in a new or established security operations centre.
I am going to be using open source software, and showing how they can be used together and create a pretty awesome environment, that in my opinion rivals or if not better than many of the paid and expensive tools in the security industry.
Over the next few weeks and months, I will create guides for the following.
Google Rapid Response
I’m not necessary going to create guides in the order listed above, however I will be starting with cuckoo.
Cuckoo is a fun place to start as you can get a pretty awesome malware sandbox analysis tool up and running in a fairly short amount of time, and see real results and benefits from it. There are so many ways you can customise it and get it working for how you want it in your own environment. Why pay a 3rd party for your malware analysis when you can have a free and powerful version of your own.
Anyhow, enough jibber jabbing. Time for the first update!
I came across this write up by boozallen yesterday, and found it had some very interesting thoughts and insight to how and what happened.
1. Four VirusTotal users uploaded the compiled VBS backdoors along with other malicious files, including the
TeleBots telegram-based backdoor, PowerShell post-exploitation scripts, Mimikatz, and other tools. For each
user, these uploads occurred within the same one- to two-day time period.
2. In most cases, these files were uploaded several months prior to the 27 June Petya incident.
3. Booz Allen Cyber4Sight also determined that in several cases, these submitters also uploaded files
associated with the MEDoc update utility to VirusTotal. This shows that these submitters were also likely
users of the MEDoc software, and the inclusion of these files with the files identified in number 1 (above)
demonstrates that MEDoc-related processes may have facilitated the installation vector for this software.
These past few months have been quite interesting. The scale and ease of WannaCry and the more recent Petya/Non Petya attacks, have created a greater awareness for individuals outside of the security world. Major news outlets are interested in these events as they transpire and this can only be a good thing. I still believe we are many years away from individuals and business truly changing their mindsets and realise that just reacting to these events is not enough, and more time and effort is spent on how these applications are designed and how we approach security. We need to try harder to make applications and hardware secure by design and not rely on 3rd party products afterwards to make the product “secure”.
We are going to have several more large scale events like this until the mindset changes, humans are stubborn and we do not like to change – however this is something we must do.
The Nyetya attack was a destructive ransomware variant that affected many organizations inside of Ukraine and multinational corporations with operations in Ukraine. In cooperation with Cisco Advanced Services Incident Response, Talos identified several key aspects of the attack. The investigation found a supply chain-focused attack at M.E.Doc software that delivered a destructive payload disguised as ransomware. By utilizing stolen credentials, the actor was able to manipulate the update server for M.E.Doc to proxy connections to an actor-controlled server. Based on the findings, Talos remains confident that the attack was destructive in nature. The effects were broad reaching, with Ukraine Cyber police confirming over 2000 affected companies in Ukraine alone.
This is another good article and write up by Talos.
Gives a lot more useful insight as to how this happened, another good read, will be interesting to see how this continues to develop over the next few days and weeks.
I came across an interesting article today, with regards to the Petya / NotPetya cyber attack from last week. This is a very good write up and analysis of how the organisation M.E.Doc appears to have been compromised and used to spread the malware in a series of updates for the software it produces.
This demonstrates how devastating these types of compromises can be and as a defender can make it very difficult to identify and stop this type of attack from happening, if you happen to be the target of said attack.
I suggest you read this very good article!
Analysis of TeleBots’ cunning backdoor
On the 27th of June 2017, a new cyberattack hit many computer systems in Ukraine, as well as in other countries. That attack was spearheaded by the malware ESET products detect as Diskcoder.C(aka ExPetr, PetrWrap, Petya, or NotPetya). This malware masquerades as typical ransomware: it encrypts the data on the computer and demands $300 bitcoins for recovery. In fact, the malware authors’ intention was to cause damage, so they did all that they could to make data decryption very unlikely.
Another good write up by bleeping computer that contains more information.
Last week, a blog post from a Ukrainian web developer went viral, after it hinted that the real culprit behind the hacked server could have been M.E.Doc’s web host, Wnet, a company that has been accused of having ties to Russia’s intelligence service (FSB).
An investigation into the man’s accusations revealed that the SBU had raided the web host on June 1, for “illegal traffic routing to Crimea in favor of Russian special services.”
My machine –
Domain joined Windows 10 Enterprise 64bit running McAfee AV + Encrypted HDD. Fully patched with June’s updates and manually disabled/removed SMBv1.
Hit at 12:40 UK time with a BSoD. Reboot “Please install operating system – no boot device”.
And the follow up
I’ll just put this up here to summarise what happened and how.
We assume 1 PC was infected, that machine provided the virus with some credentials. Could have been a workstation admin’s account, giving the virus admin rights to all PCs in the local area. Over time, it must have picked up Domain Admin rights as it spread, then hitting Domain Controllers and all other Windows servers with it’s PSEXEC/WMIC code. The rest is history. We lost PCs that were encrypted with McAfee Disk Encryption due to corrupted MBR, PCs that were not encrypted with McAfee showed the ransom message.
This is a good demonstration of making sure everything is 100% patched and not nearly patched. It is difficult to keep older machines patched and updated in an enterprise environment, however when these systems are designed and implemented, we should be thinking and taking into consideration how we are going to update them and keep them secure, otherwise we will have to deal with the events described above, again and again.
Google has announced its capture the flag for 2017. Offering rewards for the winners and also participation if you are creative with your write up for the challenges you complete, so this should give many more individuals a chance of getting something for their effort, other than the enjoyment of course.
Qualification starts on the 17th of June, whereas if you can score enough points you can be invited to the final which will be held at google where you are then competing in another exercise in order to be declared the winner.
Why do we host these competitions?
There are three main reasons why we host these competitions.
First, as we’ve seen with our Vulnerability Reward Program, the security community’s efforts help us better protect Google users, and the web as a whole. We’d like to give the people who solve a single challenge or two in a very clever way a chance to teach us and the security community, even if they don’t qualify for the finals. We also think that these challenges allows us to share with the world the types of problems our security team works on every day.
I do like these type of events as you get to see how creative people can be with problem solving, and usually many things we can learn from others as a result.
In what is somewhat of a mildly amusing statement, and I am sure not all of the conversation. Suggests that its down to patriotic individuals acting on behalf of themselves when they feel there are negative comments made about Russia.
It’s an interesting take on the subject.
Responding to a question about concerns in Germany that Russian hackers could meddle in that country’s upcoming federal elections, Putin said it was “theoretically possible” that “patriotic” hackers could attack those who “speak negatively about Russia.”
“At a government level, we are never engaged in this. That’s the most important thing,” Putin said at the televised meeting, which was held during Russia’s annual St. Petersburg International Economic Forum. He added that hackers could come “from any country in the world.”
As per my previous update, the idea behind what they wanted to do was a good one, but legally not so much. Seems as humans we just cannot get around doing the right thing and being proactive. We only understand how to react to when things go wrong.