Tag Archives: Ransomware

Think Before You Sync. Why just moving to the cloud does not solve the ransomware threat.

27 July 2019

On May 7th, 2019 the city of Baltimore was hit by a ransomware attack.  Although the city hired Microsoft and five other firms it has not fully recovered from the attack yet.(1)

Since the city’s email system was down officials started to use Gmail accounts for communications.(1)(2) This makes sense in the case of an emergency. Not communicating in the case of a publicly visible cyber-attack commonly has a large financial impact on businesses; but in the case of cities this may result in the loss of public security.

The ransomware attack on Norsk Hydro on March 19th, 2019 impressively shows the effect of good communications(3)(4): Investor’s confidence was not endangered at any time, the share price remained unchanged.

But from a strategic point of view, just moving to the whatever cloud is not a good idea. Google’s idea behind ChromeOS was simply clever: If everything (applications and data) is stored in the cloud the impact of e.g. ransomware will be negligible because the malware cannot jump across the https barrier to your cloud storage. The same holds for O365.

Unfortunately, users are not used of this way of working in the browser. It’s often slow, requires a change in working habits, travelling requires extra preparation, etc. So, Microsoft invented OneDrive and Google came up with Sync for Windows. Similar tools are available for Box and DropBox, and for all desktop operating systems, even for Linux.

Linux Setup Online Accounts

Linux setup online accounts during first login

With these syncing tools, the data stored in the cloud is made available on the user’s desktop. Changes to local files are synchronized immediately to the cloud and vice versa. And with this, the ransomware problem still exists because if a ransomware encrypts the synchronized files on the local copy the change is immediately synchronized to the cloud.
Game over.

So, if you want to take advantage of the cloud you have to run a vast change project: The whole working environment with all forms, templates, etc. must be provided in the cloud. And the employees must get used of the new way of working.

We need change!

We need change!

But the effort pays off: Your network becomes more resilient against cyber-attacks, workstations can be easily exchanged, the endpoint complexity can be reduced, windows domains and in the end, the campus network, will become dispensable.

So, think before you sync!

Have a great weekend.


  1. Duncan I. Google Pitches to Baltimore after Ransomware Attacks [Internet]. Government Technology. 2019 [zitiert 27. Juli 2019]. Verfügbar unter: https://www.govtech.com/computing/Google-Pitches-to-Baltimore-after-Ransomware-Attacks.html
  2. Cyber-spies tight-lipped on Baltimore hack. BBC News [Internet]. 27. Mai 2019 [zitiert 27. Juli 2019]; Verfügbar unter: https://www.bbc.com/news/technology-48423954
  3. Norsk Hydro. Update: Hydro subject to cyber attack [Internet]. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.hydro.com/de-DE/medien/news/2019/update-hydro-subject-to-cyber-attack/
  4. Norsk Hydro ASA. Norsk Hydro: Update: Hydro subject to cyber-attack – 19.03.19 – News – ARIVA.DE [Internet]. de. 2019 [zitiert 24. Mai 2019]. Verfügbar unter: https://www.ariva.de/news/norsk-hydro-update-hydro-subject-to-cyber-attack-7476743

Some thoughts on “Protecting against ransomware using PCI DSS and other hardening standards”

20 May 2018

Post “Protecting against ransomware using PCI DSS and other hardening standards” (1) published this week by Paul Norris in SC Media UK is really worth reading. Hardening is a proven method to reduce the attack surface of a computer network. If well done, the spreading of ransomware and thus the impact on an organization can be limited.

Hardening, patching, etc. serve a common goal in cyber war: Describing the limits of conflict. Everett Dolman writes in chapter 5 of “Pure Strategy: Power and Principle in the Space and Information Age” (2):

“Tactical thinkers seek to define and describe situations. Decision-making in real-time tactical mode requires it. The more knowledge of the limits to conflict, the more creatively the tactical genius can deploy, maneuver, and engage forces. Knowing completely what cannot be done allows for an investigation what can be done.”

Hardening, patching, etc. decrease the number of options / attack vectors an attacker can use for getting on and exploring a network. IT security groups can then focus on the remaining attack vectors, and prepare for the unknown.

Let me give two examples to illustrate this.

  1. If all external storage devices are technically blocked in your organization an attacker cannot use them for delivery of weaponized documents. Furthermore, if users have no chance to change this your IT security group can focus on investigating other attack vectors.

  2. If you implemented the measures for mitigation of high and medium risk findings described in the DoD “Windows 7 Security Technical Implementation Guide” (3) you can be sure that attacks based on bypassing UAC to get elevated privileges are no longer possible.

But be aware that the attacker also knows what cannot be done after a standard is implemented…

Have a great week.


  1. Norris P. Protecting against ransomware using PCI DSS and other hardening standards [Internet]. SC Media UK. 2018 [cited 2018 May 20]. Available from: https://www.scmagazineuk.com/opinion/protecting-against-ransomware-using-pci-dss-and-other-hardening-standards/article/761956/

  2. Dolman EC. Pure Strategy: Power and Principle in the Space and Information Age [Internet]. Taylor & Francis; 2004. (Strategy and History)

  3. Department of Defense. Windows 7 Security Technical Implementation Guide [Internet]. STIG Viewer | Unified Compliance Framework®. 2017 [cited 2018 May 20]. Available from: https://www.stigviewer.com/stig/windows_7/

Ransomware for Industrial Control System – Digital Carelessness

19 March 2017

Ransomware for Industrial Control Systems (ICS) is a scaring idea. The research paper ‘Out of Control: Ransomware for Industrial Control System‘ by David Formby, Srikar Durbha and Raheem Beyah from the Georgia Institute of Technology is really worth reading.

The researchers study several attack vectors and run a proof of concept (POC). In addition, they give some hints for mitigation of this new risk in the ICS / SCADA domain.

In the simplest case, if the PLC is connected to the internet, the cyber-criminal can attack the PLC directly. A more dangerous, but also very promising way is to start an attack on a workstation located in the corporate network and use this system as base camp for the access to the production network.

In the past weeks I prepared a speech for a workshop about “Safety and security in plant safety”. In the IIoT, the digital world acts upon the physical world. With this, flaws in the IIoT software may create a safety problem. For example, if a PLC or other SCADA components are attached to the internet, cyber criminals can exploit such flaws and compromise the integrity of the systems or implement ransomware on the systems. In the worst case, if e.g. the SCADA system controls a critical infrastructure like a power grid, this may result in a blackout. And operators of critical infrastructures will pay definitely any ransom to avoid a blackout.

The attack vectors described above are the native way for accessing industrial facilities and critical infrastructures. Besides the PLC, lots of other components like switches or HMI panels are connected more or less intentionally to the internet today. My colleague Christoph Thust from Evonik calls this the Digital Carelessness.

A plain SHODAN search for ‘SCALANCE‘ results in 213 hits. These network switches are more or less exposed to the internet. If a cyber attacker can hijack such a switch, he gains full control of the production network.

Shodan Scalance Search

Shodan Scalance Search. Click to enlarge.

A search for ‘SIMATIC HMI‘ results in 103 hits. This HMI panels are directly attached to the internet, lots of them can be viewed with WinVNC, some of them can be fully operated by EVERYONE.

Shodan Search HMI

Shodan Search HMI. Click to enlarge.

And, above all, HMI panels attached to the internet can be used as base camp for an attacker’s lateral movement in the production network.

Although ransomware is a really big issue today, the effort to rollout ransomware in a SCADA environment is high compared to the effort of plain attacks to unsecured SCADA system components.

The good news is, that the vendors of SCADA components already offer the elementary technology and strategies for their secure operation. But improvement of the basic security technologies is of crucial need for efficient use in the production domain.

The bad news is, that neither the engineering service providers nor the plant operators are fully aware of cyber-threats and their impact on plant operations and safety. The above examples make clear that the mitigation measures and defense strategies provided by the technology vendors are not followed.

From my point of view we need to start early in the construction process with considerations of cyber security. Security gates must be added to each construction phase. And during handover to the operator, a final pen test must be performed. As soon as Security by Design becomes an integral part of the Industrial Plant Life Cycle, the era of digital carelessness will end.

Have a good weekend.

Locky deployment methods just changed – Who cares?

30 July 2016

The Post ‘Locky Dropper Now Comes Embedded in the Loader’, published July 28, 2016 in the ReaQta Security Blog, clearly shows that the cyber criminals continuously develop and improve their products. In the past, Locky downloaded the encryption program from a command & control server. In the latest version the encryption program is embedded in the email attachment as strings. The moment the victim runs the loader, the encryption program is extracted from the strings to the User Space and executed from User Space.

This is no rocket science; simply the application of well-known obfuscation methods to the latest Locky variant.

And, with AppGuard installed on top of the security stack, this new Locky variant represents no real danger.

In my opinion, the next generation endpoint protection solutions available on the market will all deal effectively with this sort of zero-day malware. The example of AppGuard shows: It is simply install and forget.

With this, we will gain valuable time for the right and important things like the implementation of Two Factor Authentication or privileged accounts management, or the design of effective security procedures or user training. Unfortunately, the paradigm shift from prevention to detection prevents us from implementing and doing the right and important things. It’s time for a paradigm change…

Have a good weekend.

Webinar Digital Extortion: Will you pay the ransom?

27 July 2016

I attended the IBM Security Webinar “Digital Extortion: Will you pay the ransom?” this evening. Limor Kessem talked about the history of and the latest trends in ransomware. Robert Lelewski provides an overview of the means to guard against and to recover from ransomware attacks.

Robert Lelewski showed a really remarkable slide:

Train users to beware of threats

Train users to beware of threats

The message is simple: Your users are the first line of defense. User training is the most effective means of combating cyber-attacks.

For more details, see the IBM ransomware landing page.

Have a good day.

New developments in the field of ransomware

11 June 2016

During my test of AppGuard some new variants of ransomware showed up in the wild.

ReaQta reported a new and massive worldwide Locky ransomware spam campaign. The new variant downloads the payload in encrypted form from the attacker’s command and control server and decrypts it before execution on the victim’s system. This makes it harder for traditional anti-malware systems to identify the payload as malicious.

Since the decrypted version is executed from User Space AppGuard blocks the execution.

Microsoft reported a new variant called ZCryptor which behaves like a worm:

‘ZCryptor can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. can initially infect targets through traditional phishing schemes, macros or fake installers, but also has the ability to place autorun files on removable storage devices. This means the ransomware can spread itself to other machines on portable storage devices, rather than relying on more targets to fall victim to phishing, according to Microsoft’s security advisory.’

I had to deactivate all Windows 10 security features on my test system to download the malware sample from malwr.com to the User Space of my account:

Timestamp MD5 File Name File Type Antivirus
May 27, 2016, 6:43 p.m. d1e75b274211a78d9c5d38c8ff2e1778 zcrypt.ex_ PE32 executable (GUI) Intel 80386, for MS Windows 39/57

AppGuard runs out-of-the-box in protection mode Protected with default User Space settings.

Again, AppGuard blocked the execution of z_crypt.exe, thus prevented the malware from becoming persistent and from encrypting my documents:

AppGuard stops ZCryptor

AppGuard stops ZCryptor

Even if one receives ZCryptor on a portable device AppGuard will block the execution due to the default Removable Media rule:

AppGuard Removable Media default rule

AppGuard Removable Media default rule

More about AppGuard next week.

Have a good weekend.