For online casinos, business begins to peak as gamblers punch out of work and belly-up to virtual blackjack tables. But on this Tuesday in February at 5p.m., the odds were not in the house’s favor. That’s when this virtual casino—with tens of millions of dollars in virtual transaction data, thousands of user profiles and millions invested in computer infrastructure—was hit with ransomware that risked turning a thriving business into an encrypted crime scene.
The criminals behind this attack couldn’t have picked a better target. This legal online casino, located outside the US, is one of the largest operators in the gambling and entertainment business. On the condition Threatpost would not identify the casino, we were given rare insight into a high-stakes ransomware attack that serves as a cautionary tale for any company.
“Yes, ransomware was on our radar. But in this business—where uptime is critical–daily denial-of-service and APT attacks had always been our chief concerns,” said the online casino’s chief security officer who Threatpost will identify as Robert. “To be clear, we had extensive security protocols in place and tools guarding our network,” he said.
The casino, with 1,000 employees, has an infrastructure that consists of two massive physical data centers and a cloud infrastructure. As for security, the casino uses a firewall from a top-tier supplier, data center security from another leading vendor and its client AV protection was from a mix of leading providers as well. It also had contracted real-time network monitoring from an outside service provider.
“It would be an understatement to say security was our top concern. It is our utmost concern,” Robert said. But nonetheless, there are no perfect security solutions. And on that Tuesday, as gamblers were logging on and servers whirled and whirred into overdrive, the casino learned the hard way nothing is bulletproof.
The attack started at 5p.m. with the hook of a phishing email and a bogus invoice sent to an external consultant working in-house. Working behind the company’s firewall onsite, the consultant received an email with the subject line “Requested receipt ID:084C9F.”
Using the Windows 7 Sony laptop assigned to him by the casino, the consultant opened the email message and double-clicked on the attachment unleashing the ransomware. Unknown to the casino was the fact that this consultant’s Sony laptop had zero security software running on it. Making matters worse, the laptop was misconfigured with the “C:\Users\username\Public” folder wrongly set up to be shared on the company’s network.
Within minutes, the ransomware attacked the notebook’s default My Folders directory and began encrypting files, Robert said. The casino consultant recalls noticing the documents he had just saved couldn’t be opened and new extensions such as .XXX, .TTT, and .MICRO had been appended to them.
Nearly certain it was a technical issue, not a security concern, the consultant called the casino’s IT help desk for answers. As he waited and searched Google for clues as to why his files were mysteriously renamed and inaccessible, about a half-hour later, at 6p.m., the consultant got a call from IT and was told abruptly to unplug the laptop’s Ethernet cord–and fast.
That laptop, Robert said, was linked to 80 other desktop and laptop PCs via a network of 15 shared servers. Servers contained a mix of critical network elements such as the company’s Active Directory Domain Services as well as a treasure trove of company applications and data.
Within that hour, the casino’s outside security firm, London-based Darktrace, had not only been alerted that the company was dealing with a ransomware attack, but had already detected it as well. The company told Threatpost it detected the casino’s network, endpoints and traffic bustling with suspicious behavior.
Within that hour the damage, the casino believed, had been contained to the laptop now quarantined from the rest of the network. That damage included TeslaCrypt infecting the primary Sony laptop with encrypted files along with the “C:\Users\username\Public” folder. But they were wrong.
As the onsite IT teams were performing local triage, Drarktrace technicians in London were noticing a tsunami of network activity and anomalies on the casino’s network.
DarkTrace’s Dave Palmer, director of technology, said the company’s monitors watched as the ransomware wormed its way through the network and started scanning file directories in alphabetic order. “We spotted unusual network traffic and executables zipping around the network at lightning speed. There was a huge spike in the number of files being touched. Failed password attempts were off the charts. We were seeing traffic (coming into the network) from outside domains that nobody in the business had ever visited.”
Palmer said from the “C:\Users\username\Public” folder, the TeslaCrypt ransomware wormed its way onto the company’s network on to a Hitachi shared storage server.
Time is critical at the outset of the infection, Palmer said. “It’s not the kind of security problem where you can get a cup of coffee while you are trying to figure out what to do next.” Within an hour after the consultant had double-clicked on the malicious email attachment, the casino and Darktrace were working as fast as they could to cordon off the infected server and limit TeslaCrypt’s ability to encrypt more endpoints.
This casino’s nightmare is not unique and neither is ransomware. Incidents of successful CryptoWall, TeslaCrypt, Petya and Locky ransomware attacks have been steadily on the rise. But, security researchers at Cisco Talos, said they are seeing a spike in targeted attacks on hospitals and other niche industries via spear phishing spam attachments.
“What we have seen with past non-ransomware infections is that things happen cautiously and quietly,” Palmer said. But with ransomware, it’s the opposite. “Ransomware’s goal is to get a strategic stranglehold on the organization as quickly as possible. It goes as fast as it can hunting down and encrypting as many files as it can and utilizing as much of the network bandwidth as it can.”
In total, Palmer said, the ransomware infected seven more laptops and desktops PCs attached to the same Hitachi shared storage server. And just as the Sony laptop was misconfigured, so were the infected Hitachi-attached computers–each had their “C:\Users\username\Public” folder set to be shared on the network. Of those seven ransomware-infected PCs, all were running Windows 7 and with the latest security patches, running AV software.
“While getting hit with ransomware is never a fortunate thing, we were lucky,” Robert said. “If the infection started to spread even a few hours earlier, a greater percentage of our employees would have been online and had their PCs infected. As it happens most had already left for the day.”
On a curious note, no ransomware message was ever found, likely because early detection nipped the infection in the bud. Lucky for the casino, none of the files encrypted would have been vital enough to pay for decryption.
“Six months ago, we might get one attempted ransomware attack a day and maybe a DDoS attack a month,” Robert said. “Now we are getting three ransomware attempts daily,” he said. Attacks, Robert said, are via spam attachments and malicious links with a growing number of ransomware trying to take advantage of vulnerabilities in the company’s myriad of web services.
For Darktrace, the casino’s ransomware run-in was a typical attack. “We hear this type of technique every week. Typically we hear the company was using a temp, a contractor, suppliers or third-party service provider that was plugging in a gap,” Palmer said. Loaner laptops to those workers are seldom running the most recent OS with all the up-to-date patches. “That’s how it goes when you have a couple old crappy laptops running outdated versions of Windows,” Palmer said.
Robert said it was his company’s first run in with a ransomware infection. Lessons learned are obvious. In this case it was a fatal flaw of letting even just one unprotected PC onto its network coupled with the fact its PCs were misconfigured to share “C:\Users\username\Public” folder by default. Additionally, Robert said, his company’s proxy server should have flagged domains TeslaCrypt was communicating with and never had allowed traffic to those addresses.
In order to avoid running into this type of problem again, Robert said, the company is double checking access privileges on PCs and servers, exercising extreme discretion when it comes to what users have access to on the backend and spending more time educating employees on spotting phishing emails.