Ransomeware virus

ajdratch
ajdratch used Ask the Experts™
on
I'm trying to identify a ransomware virus that hit a network. I believe it is “FakeGlobe” virus. Aside from not knowing how it got on the network, there are other things I cannot figure out.  The more I know, the better I can protect this network. We did have backup replicated offsite so we are good. It just took a lot of work rebuilding servers and restoring data.

This virus uninstalled TrendMicro on servers and workstations. It then ran on those devices.  This created a unique encryption. If they were to have paid to get it unencrypted, they would have had to pay for each computer separately.  It appears it did not rely on shared drives to spread it.  

It also infected a server that was off the domain. The administrator account password was not the same as administrator password on the network. I have no idea how they could have gotten to that.

There are only three people with domain admin rights and there are service accounts with domain admin rights. None of the three users were on the network when it hit on a Saturday evening.  Passwords for the accounts with administrator rights were not changed. This means they had to find a way to read the passwords.

I did see information about  Pony Botnet that may have been used https://thehackernews.com/2014/02/pony-botnet-steals-220000-from-multiple.html 

I’m just looking for thoughts and ideas on how this could have happened so I can prevent it from happening again.  I’d like to know if it was done manually by someone gaining access to a computer or they managed to run scripts that did all the damage.  If they got to a computer, we may need to disable remote access. Many of the users have TeamViewer.  I saw this post https://www.teamviewer.com/en/company/press/statement-on-ransomware-infections-via-teamviewer/

Another thing I need to figure out is how to prevent unprotected computers from VPN access. We have a SonicWall firewall. We use both the global VPN and NetExtender.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
These viruses are transmitted by email. Someone in your company opened an email from a stranger, it then spawned the ransomware and it attacks anything connected. Very unlikely anyone hacked in and passwords and domain connection are not necessary to transmit the virus.
gilnovSystems Administrator

Commented:
There is no way for anyone here to definitively tell you how the virus got in without spending significant time on your network and, even then, it might not be possible to say for sure. That said, the 2 most common ways malware penetrates networks is via email and web browsing, especially with unpatched computers. Once the malware has a toehold on a computer, it's just a matter of privilege escalation which can happen in a matter of minutes. Ways to mitigate include a hardware firewall, whole-network web filtering, up-to-date OS and application patches, up-to-date antivirus software (a.k.a. endpoint protection), following the principal of least privilege (i.e. not giving users local admin rights to their computers), and end-user training.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Yes:

1. Top notch spam control - very effective.
2. User training as noted above.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
I know it most likely would be from email or clicking on a link. If a user without domain admin privileges clicked on the link, how could it have gotten to servers that users do not have rights to? This did not just effect shares on servers. It effected severs without any shares

Each workstation and server that was effected appears as if the link was clicked on that device. They somehow got to each device, uninstalled Trend Micro and infected it as if that was the device that clicked on the link

We have hardware firewalls and workstations have Windows firewall enabled.

And finally how did it get to a server that was not on the domain and the administrator password was different than the domain administrator password. No one went on the internet when logged into the backup server.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
The virus can transmit itself to any connected device. That is why backups should be removed from the system
gilnovSystems Administrator

Commented:
As I mentioned earlier, privilege escalation techniques can be used to gain access to other machines, including servers, on the network.

http://www.admin-magazine.com/Articles/Understanding-Privilege-Escalation
gilnovSystems Administrator

Commented:
Here's a more general explanation of privilege escalation: https://en.wikipedia.org/wiki/Privilege_escalation
Systems Administrator
Commented:
And here's a great presentation on the topic: https://www.youtube.com/watch?v=PC_iMqiuIRQ

It's a bit long but well worth a view.
btanExec Consultant
Distinguished Expert 2018
Commented:
Identification of ransomware - try using idransomware. Match against know type and variant. Decryptor may be available.
https://id-ransomware.malwarehunterteam.com

Authentication - suspect it came in through poor hygiene e.g. Use of unmanaged USB, email with phished content. Consider 2FA for local and remote administration.

Hygiene - Remote managements via VPN is good but it should be augmented with NAC. It checks for health integrity before granting connection from quarantine segment. The latter is default segment for all unauthorised machine in their initial connection to network.

Audit trails - Check for early hints of error and anomalous administrator activity in log, assuming it is enabled for account access and file access..

Application whitelisting is critical add on to reduce attack surface. Hope the faq will helps https://www.experts-exchange.com/articles/28059/TL-DR-Ransomware-Infected.html

PS - Do change the user account login if not done so...

Author

Commented:
This links were very informative. In this case the users did not have local admin rights. Most of my clients need local admin rights to run various 3rd party software.
gilnovSystems Administrator

Commented:
Google "principle of least privilege" for more info. It is very bad security practice to operate a computer full time while logged in to an admin account. UAC helps but is not a security barrier (users will just reflexively hit the "Yes, infect me please" button).

What you should advise clients to do is log in with a standard user account and type in the password for an admin account any time they need to do something that requires admin rights. It's a bit of a hassle but miles closer to secure computing.
btanExec Consultant
Distinguished Expert 2018

Commented:
User should not be allowed to install software as it also means doing malware a favour as it make their job easier skippibg the step to escalate privileges during its infection cycle.

When an organization does not remove administrator rights, users can change system settings, which affects compliance to regulatory standards. Failure to meet standards can result in more audits and remediation work.

Assuming Windows machine there can be something to do this restricted access to users....https://social.technet.microsoft.com/Forums/windowsserver/en-US/45de4290-c66c-4353-8b46-f5c3bcc1b710/how-can-i-remove-my-users-from-local-admin-rights-with-a-gpo?forum=winserverGP

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial