Nearly every day one can read horror stories about new ransomware variants in the media. The new variations encrypt not only the victim’s files. In addition, they change the computer’s configuration to make recovery with windows tools harder, thus to add weight to their ransom demand.
The PETYA ransomware overwrites the master boot record of the computer’s hard disk. The 7ev3n ransomware e.g. disables the Windows default recovery options by executing some bcdedit commands. In addition, this variant allows components to run with elevated rights without displaying a UAC (User Account Control) prompt.
With this, recovery from a ransomware attack becomes much more difficult and elaborate. But this is also a clear indicator for the lack of basic cyber hygiene.
When signed in as standard user one will just get the error message ‘Access is denied’ when a bcdedit command is run from shell program. The same is true for the PETYA ransomware that overwrites the master boot record of the computer’s hard disk.
Without administrative privileges and with UAC set to ‘Always notify me’ it is just not possible to destroy the master boot record, or to get elevated rights by using the auto-elevation capabilities of Windows. Period.
Basic cyber hygiene will not avoid the risks of ransomware, but it is a good preventive means for reducing this and lots of other risks.
Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
Disable macro scripts from office files transmitted over e-mail.
Great tips, easy to implement, even for SME and end users.
If something can overwrite the boot record of a modern Windows Operating System, this is a sign that something goes wrong. And with modern Windows Operating System I mean everything from Microsoft starting with Windows Advanced Server 3.1.
Under normal conditions administrative privileges are required to overwrite the boot sector. Thus if PETYA can overwrite the boot sector, this is an indication that the current user works with administrative privileges. Unfortunately, malware can auto-elevate if UAC is not set to the highest level ‘Always notify me’. In this case, it is not required that the user works with permanent administrative privileges. Actually, a report in German PC-Magazine PETYA confirms that PETYA uses the auto-elevation technology.
With this, defending PETYA is an easy job from a technology point of view:
Revoke permanent administrative rights from all users and
Set UAC to ‘Always Notify Me’ as default.
The latter could be implemented as a global group policy with just some clicks. Some user and helpdesk training is required in advance to ensure a smooth transition.
The hard job is to make sure that the complex application universe in a company is still working after the change. But thanks to the great progress with UAC since Windows Vista this should be possible now. The money spent for application testing is well invested because by waiving permanent administrative privileges and setting UAC to the highest level, lots of security problems are solved at a single blow.
Some variants of the W2KM_DRIDEX.BM trojan behave really strange if User Account Control (UAC) is set to the highest level ‘Always notify me’. In this case the malware attempts several times to elevate its own privileges. For a detailed description of the malware see post ‘Analysis of an Undetected Dridex Sample‘ in the REAQTA blog.
Although this behavior is really annoying everything went well so far. UAC did exactly what it was designed for: Notify the user that something requests higher privileges. Without approval by the user UAC blocks further execution, thus prevents Dridex from becoming persistent.
What next? In the best case, if the user cannot elevate the program, he calls the help desk. But is the help desk staff ready for this? What’s the proper response to this challenge?
The proper response is to quarantine the computer and disinfect the system. Or tell the user to keep calm, create an incident ticket and send it to the SOC.
The worst possible response would be to approve the request by entering the credentials of a privileged account. In this case Dridex starts over, becomes persistent and the attacker can start his malicious work.
Golden Triangle of IT Security
IT security is created by a combination of people, processes and technology. Even if processes and technology complement each other perfectly, people may become the critical factor. In particular, if helpdesk staff turnover is high, awareness training and knowledge management become a major issue.
Once a single computer is compromised, an attacker has enough time to search for the next victim in the network. Finally, when he finds a Windows 7 computer where a domain admin logs on, it ends up with a Sony like disaster.
From a technical point of view mitigation is really easy:
Remove whatever privileges from the users.
Set UAC to ‘Always notify me’, even for administrators.
But this are very unpopular measures. User acceptance is very low, as well as business support. Therefore IT groups are always interested in high sophisticated and expensive solutions to keep business impact as low as possible.
IT security is to a large extent a matter of leadership …