This post was written by Christiaan Beek and Andrew Furtak.
In 2015, Intel Security investigated a ransomware campaign that targeted the financial sector of a certain country. This was the first time we had observed ransomware targeting a particular sector. The infection vector in that case involved a phishing campaign directed at multiple financial institutions.
During recent weeks, we have received information about a new campaign of targeted ransomware attacks. This time the attackers compromised an external-facing server and used that access to move around the victim’s network. By separating functions that are usually present in ransomware, the adversaries attempted to avoid detection as much as possible.
The stages of this attack included leveraging access to the external system to gain access to many other systems on the internal network. A series of scripts and tools deleted the volume shadow copies and unlock files that were in use, thereby maximizing the impact and thwarting attempts to restore data. Before the actual encryption started, the ransomware divided the candidate files into categories based on size and encrypted the smallest files first. We assume this was to maximize the number of impacted files, even if the process was shut down before it completed. After the files were encrypted, a ransom note was left on the desktop. The note demanded Bitcoins in exchange for the decryption tool and private key to decrypt each of the files.
A more detailed account of our analysis (combining information from organizations across Intel Security) can be found in the technical report Targeted Ransomware No Longer a Future Threat.
This post and the linked technical report are intended to provide a summary of a current threat. If you need assistance, the Intel Security Foundstone Services team offers a full range of incident response, strategic, and technical consulting services that can further help to ensure you identify security risks and build effective solutions to remediate security vulnerabilities.