We begin with this post a series of articles with the purpose of talking about ransomware. In this first one, we will explain what Ryuk is and how it has affected the SEPE; in the second one, we will carry out a PoC (Proof of concept) in local and, in the last one, we will talk about good practices to prevent this type of attacks.
What is ransomware?
It is a virus, a type of malware that infects our devices, encrypts our files and then demands a ransom for them (mostly, if not entirely, in cryptocurrencies). Not only can it stay on the device itself, but it can also infect other networked devices.
The two entry routes for this type of malware are: the exploitation of vulnerabilities within the system itself and the human factor (according to Zaharia in 2017, 97% of phishing mails contained some form of ransomware).
This type of malware is neither new nor current. In 1980, there was already some ransomware, such as PC Cyborg. Later came CryptoLocker. These were followed by many others, such as TeslaCrypt, WannaCry, Ryuk...
What is Ryuk and what happened to the SEPE?
On 9 March, the SEPE announced on Twitter that its website and its electronic headquarters were unavailable... It was a cyber-attack.
The SEPE was infected by Ryuk (a name that refers to the manga Death Note), a type of ransomware that likes large Microsoft Windows systems of public entities (it is unknown how it penetrated, but it arrived just when a Microsoft Exchange Server vulnerability called ProxyLogon was detected... Draw your own conclusions).
Ryuk also left other "gifts" around Spain in companies such as Prosegur, Everis or Cadena Ser, as well as in some city councils.
Is there a solution to the ransomware attack?
Messages about the new SEPE portal started to circulate on the web. Apparently, backup dumps of the https://archive.org/ website were made on the SEPE servers (IIS 5.0), which may mean that they are a bit short of backups of their own system.
If we search, we find the SEPE public tender for computer systems (13.300.866,61 ?) in which we can see that the deadline for submitting the offer is 17/05/2016, the same year that shows the maintenance banner.
Several days after the news of the cyber-attack, it was discovered that the public entity of the Public State Employment Service did not have the security certifications (ENS - National Security Scheme) required by the National Cryptologic Centre (CCN).
You can consult all the public entities that hold this certificate here.
Later, a new vulnerability was discovered in the BigIp servers, which allows remote code execution (RCE - being able to execute commands inside the server). Obviously, of course, the SEPE website was built on these servers.
Let us recapitulate: a public entity, which does not have the security certificates The company, which has been awarded the public contract and is responsible for the systems (13,300,866.61 euros), restores backups for the security of the infrastructure for several days due to old and vulnerable systems and a lack of training for its staff. Finally, the company awarded the public contract and responsible for the systems (13.300.866,61 ?), restores backup copies for the front-end of a copy website (all of this on a doubly outdated servers like IIS 5.0, BigIp?).