Travelex cyber attack – what happened and why it’s relevant to SMEs

9th January 2020 Advice 4 Minutes

Tl;dr

Sodinokibi requires administrative privileges to run; the ransomware uses either the logged-on account (if it’s an administrator) or escalation via CVE-2018-8453.

Best mitigation is to follow good security practices;

  • Don't log in with an administrator account, use UAC to escalate privileges on a per-user basis
  • Microsoft has provided a patch for CVE-2018-8453. Ensure you’re installing all Windows Updates.

Travelex Cyber Attack

According to a 2019 survey conducted by Datto, 1 in 5 SMEs fell victim to a ransomware attack through the calendar year. The Travelex cyberattack that’s hit the headlines over the last week is an example of just that, except the SME part!

With additional detail emerging daily, Security Analysts have identified Sodinokibi as the likely strain of malware. I want to take the time to break down this threat and why it’s relevant to all of us as SMEs.

Encryption – What it is, why we need it

Encryption is a universal way for us to restrict who can access our data; it forms an integral part of our digital safety. This conversation will focus on one type of encryption called Asymmetric, as it’s the same type used for your web browser and ransomware.

The user encrypting the data generates two keys, a public key and a private key. These two keys work in tandem, if you encrypt data using the public key only the private key can reverse it and the same vice-versa.

What is ransomware

Ransomware is a type of malicious software (malware) that uses encryption to hold your data to ransom, hence the name. The attacker generates a pair of keys unique to each victim – a public key and private key. The public key is downloaded by the ransomware program on the user's computer, while the private key resides securely on the attacker's server. The ransomware program then uses the public key to encrypt your data and yes, you guessed it, the private key they hold is the only way to decrypt it. Rather nicely, they agree to provide the private key if you agree to hand over an obscene amount of money.

The sophistication of ransomware varies according to the program and quite frankly out of the scope of this post. What’s important to mention is that different strains of malware exploit different vulnerabilities, we all need to make sure we’re following a good basic standard to prevent them.

 

How machines get infected and what you can do

The easiest way to infiltrate any organisation is through the users and that’s exactly how the majority of ransomware is delivered. Installing unknown applications, clicking unverified web links and opening dubious emails are all a massive no-no.

Our six practical steps to create a good baseline are;

  1. Educate your users
    As it’s a fairly dry topic, we love NINJIO for bringing it to life. 
  2. Filter emails before delivery to your end-users
    We use Spam Titan to scan emails for known spam, junk and virus flags.
  3. Use a web filter
    Cisco Umbrella is a fantastic entry-level option; it uses DNS to protect your entire network.
  4. Install a third-party anti-virus
    Microsoft Security Essentials isn’t bad, but it’s not viable for corporate without the use of more of their products. Third-party AV solutions allow you to correlate and stop threats across your network
  5. Install updates
    Installing updates from both Microsoft and Third-Partys is critical. Vendors produce updates in response to known exploits; installing them is the only way to protect yourself.
  6. Evaluate your backup stategy
    Ensure it’s fit for purpose for your organisation. Taking this approach as primary protection to malware is closing the stable door after the horse has bolted though.

Sodinokibi – what makes it different?

The reason we’re discussing Sodinokibi is that it’s great at obfuscation, that is hiding from your anti-virus. Once a user has inadvertently run the ransomware program, it looks to attain administration privileges on the machine. If the user that ran it is an administrator, hey presto nothing else required and the encryption begins. If not, and this is where it gets clever, it looks to exploit a well known Windows PrivEsc vulnerability CVE-2018-8453. Essentially, an authenticated user without administration rights can transform into one with, at which point the encryption process begins.

A good Cyber Security strategy is the catch-all answer as it works for all strains but specifically in this case;

  1. Do not log in as an administrator. Use a low privilege account for everyday use and elevate permissions using UAC on a case by case basis.
  2. Install all updates! Windows released a patch in 2018 for this vulnerability; the PrivEsc cannot take place if you’re fully up to date
Like what you've read and want more? Get our advice delivered straight to your inbox, we promise it wont be overwhelming!
BlogPostSubscribe

About the Author

Comments

  • Dragisa Matovski says:

    Great post Sam, loving the detail.