The Bulletin article entitled “Blackmailing Enterprises: You are Patient Zero” raised a series of questions: “What is the problem for CERN?”, “We are academia!”, “Why should we worry?”. Some answers can be found below.

Ransomware attacks usually consist of tricking the victim into installing software that will eventually encrypt the victim’s computer (and any remote share or backup that the user has access to) and asking for money – the ransom – in order to unlock (decrypt) the files. Such attacks have been happening for years. However, in recent months, a worrying trend has been emerging fast: targeted organisation-wide ransomware attacks. These attacks are carried out by well-organised and well-funded criminal groups.

Ransomware attacks typically start via traditional infection vectors like phishing e-mails (“You are Patient Zero”). For targeted attacks against an entire organisation, it is also common for the attacker to focus on exposed services, like unpatched Web applications exposed to the public Internet. Once access has been gained on a single device inside the network, the attacker then focuses on silently spreading the intrusion internally in order to gain access to privileged accounts or central services. After gaining access, the attacker explores the network, reading e-mails, finding data troves, and once they know the organisation in depth, they craft a plan to cause the most panic, pain and operational disruption. It can take an average of two to three weeks for the attacker to be in a position to enter the final stage of the attack. With the right level of access and control, the attacker only has to effectively deploy the ransomware payload in a single damaging wave to as many machines as possible, covering end-user machines, central services (e-mail, web servers, etc.), shared file systems and of course, backups. This may sound complicated and costly, but automated tools increasingly perform most of the work and ransomware is currently an incredibly profitable business, allowing attacking groups to source the appropriate expertise and staffing.

As soon as the targeted organisation realises it has been attacked, a ransom note is issued. The goal is very simple: inflict maximum damage on the daily operations of the victim organisation, so that it sees no other option but to pay the ransom. Very often, the damage is total: no IT. At all. Back to pen and paper. And it works extremely well. When Carleton University was affected, it was quoted as saying “Our research is halted right now because all our computers are either shut down or infected”. Sadly, when confronted with such a situation, some victims feel the only effective option is to pay the ransom. This happened at the University of Calgary: “The decision was made to pay the ransom because we do world-class research here […] and we did not want to be in a position that we had exhausted the option to get people's potential life work back in the future if they came today and said, 'I'm encrypted, I can't get my files,'” said Dalgetty [vice-president of finances and services].

This was in 2016. The academic and research sector is clearly perceived as a viable market for attackers, and their tactics and malicious frameworks have drastically evolved since then. More than half of today's ransomware victims end up paying the ransom. Criminal organisations are taking the time to research their victims in order to maximise the potential damage to the organisation and their payoff. The amount for the ransom demanded is "just right", basically the maximum amount that the organisation can afford to pay. The University of Maastricht was one of the rare victims to expose the attack publicly and even shared a detailed technical report. In 2016, the University of Calgary paid about 20 kCHF. But in 2019, the stakes are higher and the University of Maastricht agreed to pay around 230 kCHF in the hope of unlocking its systems. The attacker completely annihilated the University’s computing and network infrastructure on 23 December, and the timing made the attack even more difficult to handle.

That said, a number of organisations seem to elect not to pay. They may acknowledge that it makes us all less safe, but most importantly that there is no guarantee the files will be unlocked by the criminals. Not all victims agree to share the figures, but ransomware attacks have such a profound impact on the core technical infrastructure of the victim that they are immensely costly, no matter the strategy. The City of Baltimore also did not pay and “has put more than $18 million into the attack. The hackers originally demanded $76,000.” 

There are also massive hidden costs: the attacker has access to all of the organisation’s data and information, including personal data about employees, customers, business partners and technologies. And it is hardly possible to hide or continue to operate during a successful ransomware attack, which itself brings additional, significant reputational damage. A ransomware infection must be considered a data breach until investigation proves otherwise. More and more of the ransomware operators are now leaking data belonging to victims who fail to pay up. This recent development means that organisations are increasingly likely to pay the ransom. The cyber insurance industry has also adapted to the new reality. It's getting more and more expensive to transfer the risk of ransomware, as underwriters are raising premiums for their coverage.

Over the course of the last months and even weeks, the number of victims in the academic sector has kept increasing, with a worrying trend of academic institutions paying ransoms, like Regis University in Denver. It would be too easy to blame the more open “academic environment” in which we operate our services. Our sector is not the only one affected: some serious industry actors are victims as well. One example is Travelex, whose entire banking system was taken down globally after an attack on New Year’s Eve. “Travelex cashiers have been resorting to using pen and paper to keep money moving at cash desks in airports and on the high street.” Beside the attack’s operational costs, the damage to Travelex’s business and reputation is of course gigantic, forcing its CEO to read a public statement regarding the attack. In another attack in December 2019, a US Coast Guard base was taken offline for 30 hours as “ransomware interrupted cameras, door-access control systems and critical monitoring systems at the site”.

Recently, ransomware started adding other functionality to target Industrial Control Systems operations. If such ransomware were to make its way into the CERN Technical Network, that could pose significant risks for the operation of the accelerator complex and the experiments. Even if the malware does not spread to actual programmable logic controllers (PLCs), it can still halt the operations of complex industrial equipment: “[The] natural gas facility shut down operations for two days after sustaining a ransomware infection”, as “A cyber threat actor used a Spearphishing Link to obtain initial access to the organisation’s information technology (IT) network before pivoting to its OT network. The threat actor then deployed commodity ransomware to encrypt data for impact on both networks.” The situation is certainly not new, but the number of victims is rapidly increasing. And most importantly, the fact that the attackers take the time needed and have the capabilities to deploy ransomware so deeply in the victims’ computing and network infrastructure is a new development.

On behalf of the Swiss Government, MELANI has issued multiple advisories and repeated warnings specifically on this issue, as “several well-known Swiss companies have been affected by this kind of attack”. In the same vein, the French ANSSI also produced a detailed report, and explicitly warn that organisation-wide ransomware is currently the most serious computing threat for institutions and companies. ANSSI add that such attacks are sometimes as sophisticated as nation-state sponsored espionage operations. As a result, the question is not whether well-funded organised groups will target CERN with an organisation-wide ransomware attack, but when. But the most important question is: what do we do about it?

• Phishing detection: Our anti-malware filtering appliances detect most phishing e-mails, in particular those containing attachments. But this does not provide complete protection as, currently, it does not follow embedded links to their origin to verify whether the webpage or file behind the links is legit or malicious. Due to this configuration, it is easy to insert a malicious download link in an e-mail, and it remains reasonably simple to successfully send a malicious attachment.
• Security patching of exposed services: It is absolutely crucial to keep all exposed services fully patched. More and more malware carries out scans of the local network even after the initial infection in order to propagate inside the organisation. An example is Emotet, which often delivers the Trickbot ransomware as a second stage. A leading university was affected by an organisation-wide ransomware attack after the attacker “manually” compromised an unpatched Web application after scanning and exploring their exposed services. It is common to have delayed security patching on non-critical services – these make easy targets for attacking groups.
• End-point protection: The current signature-based protection unfortunately has a low malware detection rate. Efforts towards better “Endpoint Detection and Response” are ongoing by IT-CDA, although there is no defined timeline or budget.
• Threat intelligence / SOC: The CERN Computer Security Team takes great care to collect known ransomware “command and control” servers from hundreds of partners, including MELANI and other government agencies. Very often this provides after-the-fact response capabilities, and does not guarantee all ransomware attacks will be detected.

After the attack, the University of Maastricht produced a number of recommendations based on the lessons it learnt, most of which are relevant to CERN as well. Basically, resilience is the key. It is absolutely crucial to keep all exposed services fully patched. You can help the Organization with that by keeping your computer, laptop, smartphone and, if you manage one, computing service up-to-date. Make sure that you have appropriate back-ups that are not susceptible to unintentional modification or deletion. Secure your computing account appropriately, do not disclose your password to third parties, and segregate the power of service accounts so that the exposure of one does not compromise all the systems you manage. Finally, STOP – THINK – DON’T CLICK on unknown attachments or weblinks, so you don’t become the patient zero compromising CERN (see our Bulletin article entitled “Blackmailing Enterprises: You are Patient Zero”).

_______

Do you want to learn more about computer security incidents and issues at CERN? Follow our Monthly Report. For further information, questions or help, check our website or contact us at Computer.Security@cern.ch.