The short post ‘New Ransomware Crippling Chernobyl Sensors’ published on 28 June 2017 by Jack Laidlaw at HACKADAY deeply frightened me. I was relieved to read, that no Industrial Control Systems (ICS) were affected.
ICS at the Chernobyl Power Plant. Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua
The following press statement was published at the Power Plant’s homepage:
As of 27.06.2017 due to the cyber attack: the SSE ChNPP’s official website was not accessible, servers for controlling the local area network and auxiliary systems of SSE ChNPP information resources (mail server, file-sharing servers, Internet resources’ access server, electronic document flow system server) were switched off. There was partial failure in operation of personal computers of workplaces of operators of individual radiation monitoring systems without loss of the control function as a whole.
From the recent cyber-attacks on industrial systems we know, that the attacks always start in the office network of a production site. Once an office computer is hijacked, the cyber criminals use it as a base to further probing the network until they find a weakness in the network configuration which allows them to attack the production network.
Thus, we should not take this matter lightly. In my opinion, the production network of nuclear power plants must be fully isolated from the office network, and the internet. Period.
Nearly every day one can read horror stories about new ransomware variants in the media. The new variations encrypt not only the victim’s files. In addition, they change the computer’s configuration to make recovery with windows tools harder, thus to add weight to their ransom demand.
The PETYA ransomware overwrites the master boot record of the computer’s hard disk. The 7ev3n ransomware e.g. disables the Windows default recovery options by executing some bcdedit commands. In addition, this variant allows components to run with elevated rights without displaying a UAC (User Account Control) prompt.
With this, recovery from a ransomware attack becomes much more difficult and elaborate. But this is also a clear indicator for the lack of basic cyber hygiene.
When signed in as standard user one will just get the error message ‘Access is denied’ when a bcdedit command is run from shell program. The same is true for the PETYA ransomware that overwrites the master boot record of the computer’s hard disk.
Without administrative privileges and with UAC set to ‘Always notify me’ it is just not possible to destroy the master boot record, or to get elevated rights by using the auto-elevation capabilities of Windows. Period.
Basic cyber hygiene will not avoid the risks of ransomware, but it is a good preventive means for reducing this and lots of other risks.
Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don’t need write-access to those files or directories.
Disable macro scripts from office files transmitted over e-mail.
Great tips, easy to implement, even for SME and end users.
If something can overwrite the boot record of a modern Windows Operating System, this is a sign that something goes wrong. And with modern Windows Operating System I mean everything from Microsoft starting with Windows Advanced Server 3.1.
Under normal conditions administrative privileges are required to overwrite the boot sector. Thus if PETYA can overwrite the boot sector, this is an indication that the current user works with administrative privileges. Unfortunately, malware can auto-elevate if UAC is not set to the highest level ‘Always notify me’. In this case, it is not required that the user works with permanent administrative privileges. Actually, a report in German PC-Magazine PETYA confirms that PETYA uses the auto-elevation technology.
With this, defending PETYA is an easy job from a technology point of view:
Revoke permanent administrative rights from all users and
Set UAC to ‘Always Notify Me’ as default.
The latter could be implemented as a global group policy with just some clicks. Some user and helpdesk training is required in advance to ensure a smooth transition.
The hard job is to make sure that the complex application universe in a company is still working after the change. But thanks to the great progress with UAC since Windows Vista this should be possible now. The money spent for application testing is well invested because by waiving permanent administrative privileges and setting UAC to the highest level, lots of security problems are solved at a single blow.