Diebold Nixdorf, a company that is a major supplier of Automatic Teller Machines (ATM’s) and software to financial institutions was infected by the ProLock ransomware in late April. The intrusion was first reported by Brian Krebs from KrebsOnSecurity.com and confirmed by Diebold Nixdorf several days later. Fortunately it appears that the company was able to limit the attack to only parts of its corporate network while the ATM network and customer data was unaffected. Various stories circulating about the incident provide valuable lessons for other financial institutions that experience ransomware attacks and should be incorporated into incident response planning activities to ensure organizations are prepared as possible when attacked.
ProLock ransomware is a relatively new variant first seen in March 2020. The FBI’s Cyber Division put out an Alert in early May providing details on the attack methodology and Indicators of Compromise. ProLock is manually controlled which means an attacker first gain must access to the victim’s network. In the case of Diebold Nixdorf a phishing email was likely used by the attackers to gain an initial foothold. The FBI noted the QakBot trojan is associated ProLock and attackers using ProLock typically attempt to map out the networks they access and exfiltrate internal data before launching the ransomware attack which encrypts files and appends them with either a .prolock or .pr0lock extension. A .txt file directs victims to a TOR site to pay a ransom to obtain decryption keys. If QakBot is discovered on a device, it should be disconnected from the network since there is a strong possibility it will be used to launch a ProLock attack. A wrinkle in this process is the decryptor for ProLock has a bug and even with the correct decryption keys data corruption may occur on files larger than 64MB. Considering these details what can organizations do to prevent and mitigate ProLock attacks?
First, layers of controls should be implemented to prevent and mitigate phishing attacks as phishing remains one of the most common avenues of attack for data breaches and ransomware attacks. Technical tools such as advanced email protections can initially prevent malicious emails from reaching users and security awareness training can help users recognize phishing emails that make it past initial filters. If users do click on phishing links and download malicious files, next generation antivirus (NGAV) tools should be considered to provide a higher level of malware detection capabilities than traditional anti-virus tools and mitigate the ability of malware like QakBot and ProLock to go undetected in a company’s network. A deeper dive into how NGAV tools work was highlighted in another Schneider Downs cybersecurity article. Third-party penetration tests can also provide organizations with a good gauge of how well they would fare if attacked and provide training for a real attack.
Second, if an organization suspects their network has been infected with malware or has been attacked by ransomware, they need to call subject matter experts to assist with incident response. The FBI noted the ProLock ransomware attack is multi staged with attackers first attempting to exfiltrate internal data. While customer data is a key target, internal documents such as emails, customer lists and trade secrets could negatively impact organizations if stolen and publicly exposed. Incident Response specialists can help organizations determine the scope of an infection or potential breach, provide expertise on negotiating with attackers, coordinate with law enforcement and provide expertise on remediating an infection such as repairing buggy decryption tools and cleaning up persistent infections. Organizations should partner with a response team prior to an incident to speed up response activities and purchase cybersecurity insurance to offset response expenses.
Finally, good cyber hygiene and IT controls will mitigate the impact of any attack and prevent attackers from moving through a network from an initially infected device to other devices. In Diebold Nixdorf’s case it appears effective network segmentation was implemented to prevent attackers form reaching customer data. Internal firewall rules can be used to limit the protocols and devices attackers can use to move laterally through a company’s network. Patching of internal devices will also limit vulnerabilities that can be exploited to move laterally. Finally, backups should be seen as a last line of defense to recover from an attacks, storing backups offline or on a separate system will mitigate the risk that backups will also be encrypted.
Data breaches and Ransomware attacks continue to be a major cybersecurity concern and new variants and attack methodologies will challenge response teams. If your organizations needs help with developing or testing a response strategy, or if you have as experiencing and attack, reach out to Schneider Down’s cybersecurity team at [email protected].
About Schneider Downs Cybersecurity
The Schneider Downs cybersecurity practice consists of experts in multiple technical domains. We offer a comprehensive set of information technology security services including penetration testing, intrusion prevention/detection review, ransomware security, vulnerability assessments, and a robust digital forensics and incident response team. For more information, visit www.schneiderdowns.com/cybersecurity.
In addition, our Incident Response Team is available around the clock at 1-800-993-8937 if you suspect your organization is experiencing a network incident.
You’ve heard our thoughts… We’d like to hear yours
The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].
Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.