Ransomware Persists

The Network: Central Bank of a nation that sets fiscal policy. There are hundreds of servers and thousands of workstations. They have diligent IT security, which includes patching; up to date, brand name antivirus; next gen firewall and intrusion detection inline.

The Expectation: A secure network, especially including endpoints, is essential to proper functioning.

The Catch: An unexpected process with odd name (cjkvy-bc.exe) is observed on a workstation. Soon after the process launch, communication is observed to a known botnet C&C IP address registered in Germany.

The Find: The MD5 hash of the process identifies it as ransomware; the signature matches TeslaCrypt. Closer examination shows that the EXE has been added to the Start group in the Windows workstation. This means the program is launched each time a user logs in to the workstation, thereby being persistent.

The Fix: Quarantine the workstation, disinfect the machine by re-imaging and restoring company image. Scan all mapped drives for possible contamination.

The Lesson: Modern attacks cannot be stopped by traditional defenses. Digital Forensics techniques at the endpoint are now essential.