ransomware guidelines

Ransomware security guidelines (I): Ryuk's attack on the SEPE


With this post we begin a series of articles (three in total) with the purpose of talking about ransomware. In this first one, we will explain what is Ryuk and how it has affected the SEPEThe second, we will carry out a PoC (Proof of concept) at the local level; and, in the last one, we will talk about good practices to prevent this type of attacks.

Let us start at the beginning: what is ransomware?

It is a virus, a type of malware that infects our devices, which is in charge of encrypt our filesand then ask for a economic rescue for them (mostly, if not entirely, in cryptocurrencies). Not only can it stay on the device itself, but it can also infect other networked devices.

The two entry routes of this type of malware are: the exploitation of vulnerabilities within the system itself and the human factor (according to Zaharia in 2017, 97% of phishing mails contained some form of ransomware).

This type of malware is neither new nor current. In 1980, there was already some ransomware, such as PC Cyborg. Later came CryptoLocker. These were followed by many others, such as TeslaCrypt, WannaCry, Ryuk...

What is Ryuk and what happened to the SEPE?

On 9 March, the SEPE announced on Twitter that its website and its electronic headquarters were unavailable... It was a cyber-attack.

The SEPE was infected by Ryuk (a name that refers to the manga Death Note), a type of ransomware that likes the large Microsoft Windows systems of public entities (it is unknown how it got in, but it arrived just when a Microsoft Exchange Server vulnerability called ProxyLogon was detected... Draw your own conclusions).

Ryuk also left other "gifts" for Spain in companies like Prosegur, Everis and Cadena Seras well as in some town halls.

But is there a solution?

Messages about the new SEPE portal started to circulate on the web. Apparently, dumps of backups of the https://archive.org/ website were made on the SEPE servers (IIS 5.0), which may mean that they are a bit short of backups of their own system...

If we search, we find the SEPE's public tender for IT systems (13.300.866,61 €) in which we can see that the deadline for submitting the offer is 17/05/2016, the same year that the maintenance banner shows.

UPDATE 1: Several days after the news of the cyber-attack, it was discovered that the public entity of the Public State Employment Service did not have the security certifications (ENS - National Security Scheme) required by the National Cryptologic Centre (CCN).

All public entities holding this certificate can be consulted. here.

UPDATE 2: A new vulnerability was discovered in BigIp servers, which allows remote code execution (RCE - being able to execute commands inside the server). Obviously, of course, the SEPE website was built on these servers.

Let's recap: a public entity, which does not have the required safety certificates, paralyses its entire infrastructure for several days Finally, the company awarded the public contract and responsible for the systems (13.300.866,61 €), restores backups for the front-end of a copy website (all that on a doubly outdated servers like IIS 5.0, BigIp...).

In the next post, we will mount a ransomware locally.

Cybersecurity Department of Bosonit



Tech & Data

You may be interested in

Take the leap

Contact us.