Starr Duskk
asked on
Malware Ransomware and sql server databases
From what I've read, ransomware triggers, and starts encrypting your .mdf .ldf and database backup files. (as well as others).
Now, also they say that malware can sit on your box for months or more before it triggers.
Here's the question: A person I work with says that it attaches immediately to the database, but doesn't trigger the encryption until months later, so all your backups now have this ransomware attached to it.
That sounds like hooey to me that it is attached to your backups and the backup itself is the executable that starts the encryption, etc.
Facts on this please? Thanks!
And does anyone know WHY they wait for months to trigger it?
Now, also they say that malware can sit on your box for months or more before it triggers.
Here's the question: A person I work with says that it attaches immediately to the database, but doesn't trigger the encryption until months later, so all your backups now have this ransomware attached to it.
That sounds like hooey to me that it is attached to your backups and the backup itself is the executable that starts the encryption, etc.
Facts on this please? Thanks!
And does anyone know WHY they wait for months to trigger it?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
The longer it is on your system the longer defenses can be found and implemented. This means hanging around for months is good if you are exfiltrating data . Different aims.
Ransomware usually executes very quickly -----
Ransomware usually executes very quickly -----
Yes, it's possible!
Hello,
There is no "ransomware" as it, there are several mechanisms and several implementations.
What a ransomware is doing, you know if you have it. Usually it is just software which tries to catch your computer. And from this computer, it erither start directly to encrypt what it can find, or it has a more detailed "intelligence" and tries first to spread inside the network before it start working.
From the technical perspective it is also possible to implement something into SQL server, like a stored procedure, as SSIS package or an agent job. But the ransomware has first to find an SQL server and getting acces to it.
Usually it infects first one machine, i.e. by fishing mails. Once infected, the ransonware can try then to reach other machines. This happens under the context of the users, which logon to this machine.
If the spreader tries to catch just some small money from some unexperienced users, this may be a way. Most of these algorithm are known and possibly some tools (from virus scanner vendors) are already able to decrypt the content again.
But for larger attacks a single client is not interesting. So a more intelligent ransomware keeps silent and tries first to spread around and to infect more machines. As ransomware can possibly also communicate with the spreader, it may be that the spreader waits until he found something what is worth to encrypt. And then the spreader may activate the encryption.
But as longer an attacker waits, as more probably an attack is discovered in time so that a damage can be avoided.
You have to separate some hobby hackers from highly developed hacker groups, which plan their attacks over month like the pipeline case is US. Such attacks need not only a lot of preparation, they also need experienced developer which are able to attack even backend systems, which are usually not visible by normal clients. In some companies its easy, in others quite harder, and they cannot repeat one attack a second time because virus scanners work with sequences they can observe and if such a sequence is used, the virus scanners are able to identify them.
That means, you either have to make it fast and attack as much computers as possibly in a very short time, or you have to land the big coup and attack one company at its most sensible part.
As the hacker group responsible for the pipeline attack has choosen the individual attack, the exchange attack from march was a mass attack, but also selective, they infected a lot of machines, but not from all of them they collected the data.
There is no "ransomware" as it, there are several mechanisms and several implementations.
What a ransomware is doing, you know if you have it. Usually it is just software which tries to catch your computer. And from this computer, it erither start directly to encrypt what it can find, or it has a more detailed "intelligence" and tries first to spread inside the network before it start working.
From the technical perspective it is also possible to implement something into SQL server, like a stored procedure, as SSIS package or an agent job. But the ransomware has first to find an SQL server and getting acces to it.
Usually it infects first one machine, i.e. by fishing mails. Once infected, the ransonware can try then to reach other machines. This happens under the context of the users, which logon to this machine.
If the spreader tries to catch just some small money from some unexperienced users, this may be a way. Most of these algorithm are known and possibly some tools (from virus scanner vendors) are already able to decrypt the content again.
But for larger attacks a single client is not interesting. So a more intelligent ransomware keeps silent and tries first to spread around and to infect more machines. As ransomware can possibly also communicate with the spreader, it may be that the spreader waits until he found something what is worth to encrypt. And then the spreader may activate the encryption.
But as longer an attacker waits, as more probably an attack is discovered in time so that a damage can be avoided.
You have to separate some hobby hackers from highly developed hacker groups, which plan their attacks over month like the pipeline case is US. Such attacks need not only a lot of preparation, they also need experienced developer which are able to attack even backend systems, which are usually not visible by normal clients. In some companies its easy, in others quite harder, and they cannot repeat one attack a second time because virus scanners work with sequences they can observe and if such a sequence is used, the virus scanners are able to identify them.
That means, you either have to make it fast and attack as much computers as possibly in a very short time, or you have to land the big coup and attack one company at its most sensible part.
As the hacker group responsible for the pipeline attack has choosen the individual attack, the exchange attack from march was a mass attack, but also selective, they infected a lot of machines, but not from all of them they collected the data.
Why wait for months?
Sometimes, bad actors get into your network taking advantage of less technically-savvy users through a phishing email. This user's PC is now infected with something and is a toehold that the bad actor can use. However, this user may not have access to stuff that is of value. The attacker hangs out on your network, probing, and moves laterally until it gains "better" credentials, all the while scoping out what else is on your network that it might want to encrypt. In many cases it identifies stuff that it wants to exfiltrate (maybe confidential/sensitive data) If the bad actor finds data like that, it will start sending this data out somewhere - this will take some time too and if they are careful, they willll do it slowly so as not to trip any alerting devices on your network.. (this is to give the victim an additional incentive to pay up - even if you have viable backups you may not want your competitors to know about your IP or business dealings)
I have not heard of ransomware encryptors that replace or inject themselves into backup executables - but what do I know? Could happen, i suppose. I think what your colleague meant was that the attacker might wait for awhile after initially gainng entry - identify where the backups are and if it can encrypt the backups, then the victim is much more likely to pay up.
Sometimes, bad actors get into your network taking advantage of less technically-savvy users through a phishing email. This user's PC is now infected with something and is a toehold that the bad actor can use. However, this user may not have access to stuff that is of value. The attacker hangs out on your network, probing, and moves laterally until it gains "better" credentials, all the while scoping out what else is on your network that it might want to encrypt. In many cases it identifies stuff that it wants to exfiltrate (maybe confidential/sensitive data) If the bad actor finds data like that, it will start sending this data out somewhere - this will take some time too and if they are careful, they willll do it slowly so as not to trip any alerting devices on your network.. (this is to give the victim an additional incentive to pay up - even if you have viable backups you may not want your competitors to know about your IP or business dealings)
I have not heard of ransomware encryptors that replace or inject themselves into backup executables - but what do I know? Could happen, i suppose. I think what your colleague meant was that the attacker might wait for awhile after initially gainng entry - identify where the backups are and if it can encrypt the backups, then the victim is much more likely to pay up.
The wait and trigger are possible. I guess the part of trigger to run backup and the ransomware get into their work is opportunitistic. Ransomware can just encrypt the whole chunk of database but it is typically a large chunk and we know encryption will take a long while. So if I wear the attacker's hat, I will want my malware to have less noise and stay silent and wait for the table or data to be retrieved, smaller chunks and encrypt it. Mostly on the incremental changes. But then I yet to see such smart ransomware.
https://www.wingswept.com/hackers-wait-months-after-network-access-to-trigger-ransomware/
https://redmondmag.com/articles/2020/01/21/ransomware-database-servers.aspx?m=1
https://www.wingswept.com/hackers-wait-months-after-network-access-to-trigger-ransomware/
https://redmondmag.com/articles/2020/01/21/ransomware-database-servers.aspx?m=1
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
The general way around this I use, is to lock down all site files as root, where normal users can read files, just not change them.
And this applies mainly to LAMP Stack (server side) software, as trying to do this on Desktop systems would be... time consuming...
Because, for this to work, files stay locked (owned by root) most of the time, then only get unlocked during maintenance, then locked again after maintenance... where "maintenance" is generally managed/limited to <1 minute.
And this applies mainly to LAMP Stack (server side) software, as trying to do this on Desktop systems would be... time consuming...
Because, for this to work, files stay locked (owned by root) most of the time, then only get unlocked during maintenance, then locked again after maintenance... where "maintenance" is generally managed/limited to <1 minute.
Hi.
May I introduce myself? I am Super-Malware TM, call me SM.
I install myself and lie in wait. I will not strike before I know I create maximum damage in order to demand a maximum ransom.
So I know all your backup systems and I am able to track when they run in the future. So I wait until they run, test the backups and only if these backups are consistent, I will proceed to delete all other backups but the compromised one and then I start encrypting.
Sounds hard, but for me it's easy as I am omnipotent and adapt to every possible environment, no matter if Unix or windows based.
Always one step ahead.
Yours, SM
--
You cannot defeat omnipotent adversaries. But fortunately, those don't exist.
Just make sure you have backups that work, and follow the best practices that remain unchanged (from the pre-ransomware era).
May I introduce myself? I am Super-Malware TM, call me SM.
I install myself and lie in wait. I will not strike before I know I create maximum damage in order to demand a maximum ransom.
So I know all your backup systems and I am able to track when they run in the future. So I wait until they run, test the backups and only if these backups are consistent, I will proceed to delete all other backups but the compromised one and then I start encrypting.
Sounds hard, but for me it's easy as I am omnipotent and adapt to every possible environment, no matter if Unix or windows based.
Always one step ahead.
Yours, SM
--
You cannot defeat omnipotent adversaries. But fortunately, those don't exist.
Just make sure you have backups that work, and follow the best practices that remain unchanged (from the pre-ransomware era).
Most ransomware attacks these days involve multiple groups of people and tools. There's an entire economy around it. Some people do the phishing for initial access. They sell that access to affiliates that use the initial tools to load additional tools in the network and gain administrator access to the domain. They then load ransomware developed by somebody else, and execute it when people are often less likely to be looking, like on Friday evening. There are groups that figure out your cyber insurance, and annual income to determine the ransom amount. There could be another group handling negotiations. There are escrow services and crypto laundering services.
That's just to give you an idea.
That's just to give you an idea.
In the ransomware as a service community everyone gets their cut of the proceeds and some are fixed rates.. like buying blocks of credit cards..
I suspect they would wait months to trigger the encryption so that they can be sure it has infected any backup, replication, and off-site storage you do.