Defending against nation state ransomware

Defending against nation state ransomware
(Image credit: / Nicescene)

As a professional with over 20 years in the cyber security space, I cringe when a vendor presents and says: “attacks are getting more sophisticated and harder to defend against.”   While some of it rings true, it surely misses a critical point. The cyber security community has also become smarter, more vigilant, more sophisticated and capable, and goes beyond just using antivirus software and malware removal tools.  In all of my research this year, in cases where I have seen gaps, we have had the means in our possession to easily fix.

With that said, there are two trends that look likely to rise in 2020 and for which we must be vigilant and prepared.

Firstly, warnings of attacks on critical infrastructure continue to increase worldwide.  While there is always a low chatter going on between monitoring bodies, recently the frequency and volume has increased. Furthermore those that might wish to benefit from such attacks, nation state actors, have learned to obfuscate their attacks via various techniques and via acting through layers/proxy actors. 

Secondly there has been a wholesale increase in ransomware attacks on city and local governments, healthcare and hospitals.  These attacks have often crippled those affected, have sometimes put lives at risk and are costly to repair, in spite of free anti-ransomware software being available.

About the author

Dave Klein is the senior director of cybersecurity at Guardicore.

Nation state actors have become more brazen

A major concern for 2020 must be the increasing number of capable nation state cyber actors/attackers.  These nation state actors have become extremely skilled at using false flag/obfuscation techniques and proxy actors in their cyber warfare to prevent clear-cut attribution back to their home state.  By making attribution difficult, so bad actors get away with their crimes and continue unhindered.  Furthermore, as per the 2019 Verizon Data Breach study, nation state attacks have increased from 12 per cent of attacks in 2017 to 23 per cent in 2018.  

As the world has become more experienced in uncovering nation state players so they have become more experienced in hiding, avoiding pitfalls and even manipulating data, tool kits and techniques to throw forensic analysts off by mimicking another nation state or criminal actors.   

Go to techniques once used to easily identify attackers no longer work.  Time stamps, which if analysed statistically could give you an attacker’s workday (and thus their global location), are now often manipulated.  Coding and debugging techniques are being manipulated since state actors know malware strings themselves. Debug paths and metadata are often used to zero in on an attacker’s base language, usernames and coding habits.  Use of tool kits from other countries and even compromised bounced networks are often reused to throw attribution off. 

Examples of attacks

For example, the North Korean APT known as Lazarus Group is known for language imitation when coding and for performing activities to hide their attacks.  In the hack of DNC mail servers by the Russians during the 2016 campaign they came up with a fictitious Romanian “attack group” called Guccifer 2.0.  US intelligence officials were first able to trace Guccifer 2.0 back to a Russian Intelligence GRU operative when they mistakenly failed to login into a VPN service before going to a social networking site.  The IP address was linked to the GRU HQ itself.  

By far the cleverest seen to date was the malware Olympic Destroyer which took down the Olympic network’s wireless access points, servers, ticketing RFID machines, and reporters’ Internet Access for 12 hours during the opening ceremony of the 2018 Olympics in Pyongyang.  Analysis of the malware software itself uncovered many manipulations of meta-data and code that made it look like it was of North Korean origin.  It was only later that it was realised to be Russian, most likely in retaliation for Russia not being able to participate in the games due to the prior Olympics doping scandal.

While in the examples above, attribution was eventually discovered, it is important to note that in all three cases discovery was long after the fact. Even today, some people still believe in the initial attributions.  The initial false flag activity therefore becomes a source of confusion and even of continued disbelief in the new evidence that is found. The probability of a ‘successful’ attack combined with the chance to create confusion versus the improbability of accurate attribution, makes the whole effort worth the risk to some.

Damaging attacks

This success has led to larger more damaging nation states cyber attacks. From Russia attacking Ukranian power grids and communications several times recently to an Iranian cyber attack known as APT 33 which used Shamoon (a drive wiping attack) to take down over 30,000 Saudi oil production laptops and servers, we have seen state actors attack increasingly larger targets with the potential to cause  increasingly greater damage.   

In 2022, Qatar will of course host the World Cup. The country has a number of political enemies and an attack like that seen during the Olympics in 2018 must be expected and prepared for.  What is also concerning, there are several more radical “semi-state actors” in the region such as the Cyber Caliphate Army (CCA) and the Syrian Electronic Army that could easily act as a proxy for a larger state actor attack.

In summary, we need to be vigilant to these state actor trends and we must do whatever is possible to protect our critical infrastructure and citizens better from attacks that will surely come.

Ransomware rampant with local governments, healthcare and hospitals

The two largest ransomware attacks to have ravaged the cyber world were all initially state sponsored attacks. Russian state actors combined some of their own code, a French password stealer called Mimikatz and a stolen US NSA tool called EternalBlue. They then unleashed NotPetya against the Ukraine.  It spread from there and was the fastest spreading ransomware seen to date globally.  In creating WannaCry, a ransomware kit, the North Koreans also utilised their own code and EternalBlue.

In city and local governments and in hospitals and other healthcare organisations, IT budgets are often tight. They also tend to exhibit flat networks, unpatched legacy software and end of life operating systems.  The outcome means is that from the US City of Baltimore to the British National Health Service, attacks have been crippling.  We should expect a continued climb in attacks on these two sectors in 2020.

The point of this article is not to scare, but rather also to point out how we can remedy these situations.

What’s the solution?

There are some very simple, achievable things we can do to prevent attacks succeeding or at least to reduce the blast radius and clean up when attacks do succeed.  

For enterprises:

  1. Have a well written and rehearsed incident response plan:  An incident response plan must include non-technical personnel like business leaders, your executive board and even end users.  Taking the attitude of “when not if” is essential.  Attackers will come - socialise and educate and practice incident response plans.
  2. Utilise least privilege:  Run without administrative rights.  Only invoke those rights to authorised individuals and only when necessary.   This prevents both ransomware and state actors from easily commandeering your device(s) and escalating privileges to burrow into identity stores and move laterally.
  3. Utilise strong passwords and two factor authentication:  This is by far the easiest of important changes I’ve seen enterprises take seriously as of late.  Most of the largest breaches start with poor password discipline and a lack of two factor authentication.
  4. Better certification, patching and vulnerability testing:  This is essential.  Many attacks occur through software vulnerabilities that have been long patched, but where organisations have failed to update their software.  NotPetya and WannaCry - in fact any exploit utilising the Eternal Blue tool kit were taking advantage of an SMB v1 patch that was released by Microsoft in May of 2017.
  5. If and when an attack occurs: Having modern software defined segmentation in place is the easiest way to reduce the blast radius of an attack.  Without making VLAN or IP address changes, software defined segmentation allows you to isolate critical applications. Many enterprises have a large number of legacy servers and devices that are considered essential to business function, yet still run on end of life operating systems.  Segmentation can act as a virtual patch for legacy/end of life operating systems that cannot be effectively secured otherwise, but are still needed.

For critical infrastructure:

  1. All of the above applies.
  2. In addition making an accurate analysis and assessment of critical infrastructure is essential.  This can be accomplished by seeking better visibility across your enterprise.  There are many solutions that accomplish this in an agnostic fashion thus you can simplify visibility by looking across all your platforms at once instead of having to run multiple, platform specific solutions.
  3. One needs to be able to detect and identify non traditional server compute nodes as well.  In today’s IP connected world, often an attack vector can come through IP connected IoT devices or through the use of the networks on which they reside.
  4. Furthermore it will also take excellent incident response planning – planning that includes local, state and national government participation....and practice drills.  A major disruption could cause wide scale panic, thus these plans need to include law enforcement and emergency relief plans.
  5. Finally, better coordination and information sharing between domestic and international intelligence and law enforcement organisations is necessary.

Let’s revisit the 2018 Olympics attack for a minute.  The team running the Olympics - while hit hard by a custom attack - had the above solutions in place and a well rehearsed incident response plan. Ticket RFID machines failed but the ticket takers were able to fall back to a manual inspection and referencing system they had in place.  4G access points were there in case of incidents like these and provided temporary networking capabilities.  

All of the venue’s machines were re-imaged from backups.  Korea’s own Ahn Labs, which  had been part of the incident response plan, was able to find the malware and come up with signatures and remediation scripts within an hour.  Within 12 hours, exactly at 8AM in the morning and right before the first athletic event, everything was back in place.  Russia’s mightiest APT and their custom, false flag attack caused little more than a minor hiccup - and the Olympics went on without a hitch.


While nation state attacks have become more brazen with attribution becoming more difficult; and while ransomware poses a real challenge, especially to local governments and to hospital healthcare sectors we have also grown in our capabilities to defend against them.  The steps aren’t difficult and are easy to implement.  Those who are vigilant can greatly limit the blast radius and effect of these attacks easily.  The attackers aren’t the only ones who have become more skilled.  We have as well.


Dave Klein is the senior director of cybersecurity at Guardicore.

Dave Klein is the senior director of cybersecurity at Guardicore.