WHITE
CERT Australia
2012-78
Australian Businesses Targeted by
Ransomware
Abstract
CERT Australia has received reports of ransomware targeting Australian
businesses.
Ransomware is a type of software which restricts access to a victim
computer system, and demands a ransom be paid to the perpetrator in order
for the restriction to be removed.
This publication is provided to warn stakeholders of this activity and assist
businesses in detecting and mitigating malicious activity.
This document remains the property of the Australian Government. The information contained in this document is for the use of the intended recipient only
and may contain confidential or privileged information. If this document has been received in error, that error does not constitute a waiver of any
confidentiality, privilege or copyright in respect of this document or the information it contains. This document and the information contained herein cannot
be disclosed, disseminated or reproduced in any manner whatsoever without prior written permission from the Assistant Secretary, CERT Australia,
Attorney-General's Department, 3 - 5 National Circuit, Barton ACT 2600.
The material and information in this document is general information only and is not intended to be advice. The material and information is not adapted to
any particular person’s circumstances and therefore cannot be relied upon to be of assistance in any particular case. You should base any action you take
exclusively on your own methodologies, assessments and judgement, after seeking specific advice from such relevant experts and advisers as you consider
necessary or desirable. To the extent permitted by law, the Australian Government has no liability to you in respect of damage that you might suffer
that is directly or indirectly related to this document, no matter how arising (including as a result of negligence).
WHITE
WHITE
CA-2012-78
Handling Instructions
This bulletin is designated WHITE. WHITE Alerts are not confidential. They contain information that
is for public, unrestricted dissemination, publication, web-posting or broadcast. You may publish the
information, subject to copyright and any restrictions or rights noted in the information.
Background
CERT Australia has received reports of a ransomware campaign that is targeting Australian businesses.
Ransomware is a type of software which restricts access to a victim computer system, and demands a
ransom be paid to the perpetrator in order for the restriction to be removed.
Detail
CERT Australia has received reports of a number of small to medium businesses across a range of sectors
that have been victims of ransomware extortion. The perpetrators gain access to the system via Microsoft
Remote Desktop Protocol (RDP), possibly using authentication credentials obtained by key loggers, brute
forcing systems with weak credentials, or exploiting vulnerabilities in the RDP service.
The perpetrators then proceed to download tools to encrypt user files, including MYOB, PDFs and
Microsoft Office files that are required for normal business operations. The encryption process uses strong
encryption so that the files cannot be recovered without the decryption keys. The perpetrator demands
payment for access to these keys. Best practice is to not pay extortion attempts.
The attackers also use sdelete (secure delete) to wipe original files and backups that are connected to the
system; this means that the files are not recoverable using standard file recovery methods. It is important to
note that directly attached or network backups are rendered inaccessible.
The system will also display a fake lock screen that may claim that the victim’s computer has been
associated with criminal activity. This is a tactic to discourage the victim from reporting to law enforcement
agencies or CERT organisations. There are various themes used by the perpetrator for the fake warning
screen. For example, the perpetrator may claim to be from the Anti Cyber Crime Department of Federal
Internet Security Agency (ACCDFISA). There is no such agency.
WHITE
CA-2012-78
WHITE
CA-2012-78
Recommendations
CERT Australia suggests that stakeholders consider the following specific mitigations to protect against this
cyber security risk:
 Implement IP whitelisting for remote access connections.
 Use non-administrative accounts for remote access connections.
 Remove administrative accounts from the remote access group.
 Ensure that applications and operating systems are kept up-to-date with the latest software patches.
 Enforce strong password policies on user accounts to reduce the risk from brute forcing attempts.
 Make regular backups of important files and importantly store backups offline. The actors are
known to also encrypt or delete backups that are directly connected to the system or network.
 Implement account lockout policies on your remote access server to reduce the risk from brute
forcing attempts.
 Limit remote access connection attempts and log successful and failed connections.
 When remote access is required, use secure methods such as Virtual Private Networks (VPNs) with
two factor authentication and/or certificate based authentication for remote access.
 For other mitigation please refer to the “Strategies to mitigate targeted electronic intrusions” and
“Defence in Depth Principles” and “Resilient Backups” publications. [1]
Links
[1]
https://www.cert.gov.au/advisories
WHITE
CA-2012-78
WHITE
CA-2012-78
Feedback
CERT Australia is interested in any feedback that you may have with respect to this update and or the
service that we provide. If you would like to provide us with your comments, please do not hesitate to
e-mail us at [email protected] or contact us on 1300 172 499.
NOTE: Organisations should consider the sensitivity of information sent to this email address as it will be ‘in
the clear’ and not secure. If needed secure communication channels for sensitive or incident related
information are available on request.
Incident reporting
Stakeholders observing any activity connected to this publication are requested to contact CERT
Australia at [email protected] or 1300 172 499. This information is used to form an understanding of
Australia’s cyber threat context. All information is handled internal to the CERT and in strict
confidence. Secure communications mechanisms are available on request.
About CERT Australia
CERT Australia’s primary responsibility is to develop close working relationships with critical infrastructure
organisations and businesses that operate systems that are important to Australia’s national interest. In this
way, CERT Australia is able to help ensure that important services that all Australians rely on in their daily
lives are secure and resilient.
In addition to any internal or regulatory requirements that may be in place, CERT Australia stakeholders
can report cyber threats and incidents to CERT Australia on 1300 172 499. This telephone number assists
CERT Australia to rapidly respond to incidents impacting those services that are critical to all Australians.
Cyber crime involves the unauthorised access to or impairment of computer systems and is likely to
constitute an offence under the Commonwealth’s Criminal Code Act 1995 and/or State and Territory
criminal laws. If CERT Australia stakeholders suspect that they have been the victim of cyber crime they
should report it to the Australian Federal Police.
WHITE
CA-2012-78
CERT Australia
SENSITIVE INFORMATION TRANSMISSION
Restrictions on Access and Use
Traffic Light Protocol
TLP CLASSIFICATION
RESTRICTIONS ON ACCESS AND USE
Highly Restricted
Access to and use by your CERT Australia Security Contact
Officer only.
RED
You must ensure that your CERT Australia Security Contact Officer
does not disseminate or discuss the information with any other
person, and you shall ensure that you have appropriate systems in
place to ensure that the information cannot be accessed or used by
any person other than your CERT Australia Security Contact Officer.
Restricted internal access and use only.
AMBER
Subject to the below, you shall only make ‘AMBER’ Alerts available
to your employees on a “needs to know basis” strictly for your
internal purposes only to assist in the protection of your information
and communications technology (ICT) systems.
In some instances you may be provided with ‘AMBER’ Alerts which
are marked to allow you to also disclose it to your contractors or
agents on a “needs to know basis” strictly for your internal purposes
only to assist in the protection of your ICT systems.
Restricted to closed groups and subject to confidentiality
GREEN
You may share ‘GREEN’ Alerts with external organisations,
information exchanges or individuals in the network security,
information assurance or critical network infrastructure community
that agree to maintain the confidentiality of the information in the
Alert.
You may not publish or post on the World Wide Web or otherwise
release it in circumstances where confidentiality may not be
maintained.
Not restricted
WHITE
NOT CLASSIFIED
‘WHITE’ Alerts are not confidential. They contain information that is
for public, unrestricted dissemination, publication, web-posting or
broadcast. You may publish the information, subject to copyright and
any restrictions or rights noted in the information.
Any information received from CERT Australia that is not classified in
accordance with the Traffic Light Protocol must be treated as
‘AMBER’ classified information unless otherwise agreed in writing by
the Attorney-General’s Department.