Understanding the How and Why Ransomware Targets are Identified and Pursued

Welcome back to our discussion about the Second Victim. You’ll recall that these are the unknown victims in a ransomware campaign. These are the servers used to deliver a message or accept payment, completely under someone else’s control and all without your knowledge. Today we are exploring some of the aspects that elevates a server from unknown, to target, and finally a victim. Whether its contents are being held for ransom, or they are a pawn in the actor’s nefarious game.

A researcher that I follow recently issued a “Heads Up” warning that new ransomware is targeting servers. At the time of the reporting there were at least 400 affected servers. After doing some digging, I confirmed that at least 40 servers are victims of ransomware and at least two dozen others may be affected, but are taking steps to remediate the problem. But how did this happen? What was it about these servers that made them vulnerable? Plagued by these questions, I decided to use this as my example to construct a victimology and threat assessment of how these servers may appear to the world – or more specifically, to a bad actor looking for a target.

For those who are unaware, a victimology is a process of analyzing a victim’s life as it relates to a crime. This is something law enforcement officers and criminal profilers may perform during the investigation of a crime. It encompasses examining any number of potential contributing factors, including time, geographical location, race, sex, socio-economic status, and associations, to name a few. The information obtained can then be used to construct a threat assessment, which can lead to profiles. All of this information will be of great use to the investigating officers. Unfortunately, malicious actors can also construct the same information to identify targets in their potential campaigns. Remember this point for later folks, its important.

Introducing the Crime Scene

For the purposes of introducing the crime scene, incidents are the crimes and servers are the victims. Probably the most overt indicator of compromise is the below message displayed on the site’s homepage, demanding 1.4 BitCoin or $622.10 US to release the content. The site’s title tag is also modified to include the text “Website is locked!”

<img src="https://passle-net.s3.amazonaws.com/Passle/585a639fb00e810748563fbf/PostContentImages/2017-03-24-1-09-40-887-server-victimology_drupal_ransomware_message.tiff.png" style="width: 500px; height: 119.947px;" class="fr-fic fr-dib">

Seeing this first thing in the morning is a horrific sight. All of your data is being held hostage. And who knows what else has taken place. Your Friday just went from peaceful to chaotic in an instant. Thoughts such as, “How did this happen?” and “I am a nobody” to “Why would anyone do this?” and “I don’t have backups” are likely running lose in your mind. All most likely coupled with a few expletives.

Building the Victimology and Identifying the Threat

To answer these questions, we need some background information on the victim. One of the easiest ways to get this is via the server headers. The server headers are sent by the webserver for every HTTP request and provide information for your browser or other web client to successfully communicate. This information is the baseline for our victimology. Depending on a server’s configuration, server headers can be quite verbose. Therefore, for the sake of brevity, we’ll display only the fields of interest. Think of each field as a factoid about the server, providing a glimpse into its daily life, how it operates, and what type of content it might be serving to the public or clients.

<img class="fr-fic fr-dib" src="https://passle-net.s3.amazonaws.com/Passle/585a639fb00e810748563fbf/PostContentImages/2017-03-31-4-06-37-795-Server-Victimology-Table1.png" style="width: 723px; height: 217.12px;">

Interpreting Server Characteristics

An analysis of the field values reveals the following information.

<img class="fr-fic fr-dib" src="https://passle-net.s3.amazonaws.com/Passle/585a639fb00e810748563fbf/PostContentImages/2017-03-31-5-45-35-858-Server-Victimology-Table2.png" style="width: 840px; height: 245.44px;">

If we were to conduct a threat assessment on this server, its potential for being the victim of an intrusion would be high. The key items are the PHP version and expires date. An outdated PHP version can, and will be, problematic for a server. It is like chum in the water. It will attract sharks and it will get eaten. The expires string is significant because of its uniqueness. An expiration is not required for a server to function: therefore, having a date that takes place almost 38 years in the past will only peek the interests of bad actors who are searching for a good indicator to identify potential victims.

Establishing a Linkage

A linkage analysis is the process of identifying the how and why two or more crimes are related. Recall that each of the fields reveals a piece of information about the server. On their own, they may not produce too much actionable information, but taken together, and coupled with data from other similar incidents, we can begin to establish a linkage. Similarly, a single incident on its own is not indicative of a greater issue, but several incidents exhibiting the same or similar characteristics indicates a greater matter.

All of the servers aforementioned shared identical indicators for vulnerable PHP versions and the static expiration date. Additionally, based on the headers, many of the servers were also running Drupal of at least version 7, and PHP versions 5.2 to 5.5 -- all of which contain documented vulnerabilities. Based on this information and other findings, we could theorize that the threat actor is targeting vulnerable Drupal servers running outdated PHP on Linux- and Windows-based web servers, dating back to at least March 2016.

Conclusion

Today we took a brief look into the world of criminology to better understand the targets of a ransomware campaign. The targets across many industry verticals seemingly appear to have been selected due to a vulnerability or group of vulnerabilities which they are all affected by. Each was held for the same ransom amount. If the original 400 servers paid the ransom, the actor could net a profit of almost a quarter of a million dollars. Since there are potentially thousands of vulnerable servers matching the criterion, the revenue could easily jump to the millions, as people scurry to retrieve lost data.

We as security professionals faithfully try to convey the importance of patching and stress why ignoring these warnings is bad. Does our audience listen? Sadly, for the most part, no. It is often not until tragedy strikes that people hear what we have to say.

Ransomware plagues like this are only the beginning. Attackers are strengthening their attack game every day, while many that can fix the problems they exploit do nothing. Vulnerable web servers are being leveraged in both fronts of ransomware as the accomplice and victim. Thinking you are not exposed, will never be found, or are a nobody no longer cuts it. Everyone is a potential target; everyone has some data they cannot function without. If you do not want to be a victim, it’s time to take action and do something about it.