
A Hidden Cost of Ransomware: Wholesale Password Theft - feross
https://krebsonsecurity.com/2020/01/the-hidden-cost-of-ransomware-wholesale-password-theft/
======
Stierlitz
[https://krebsonsecurity.com/tag/vcpi/](https://krebsonsecurity.com/tag/vcpi/)

“In mid-November 2019, Wisconsin-based Virtual Care Provider Inc. (VCPI) was
hit by the Ryuk ransomware strain.”

In 2020, this is not acceptable in terms of “computer” security, where opening
an email attachment or clicking on a malicous link can totally compromise your
business. The planets chief software architect has a lot to answer for.

~~~
lotsofpulp
Having everyone use iOS is an option.

------
obituary_latte
It states in the article that among other things, Autho and LastPass
credentials were stolen. I’m a 1Password user so am not familiar with those
password managers. Don’t they encrypt the credentials making theft of the data
useless? Or am I missing something?

~~~
prox
Not sure, but reading that I was assuming that the malware was able to
intercept the master password for these services. So the attackers could log
into those accounts.

~~~
notlukesky
SAASPASS is a password manager that unlocks on the desktop only with multi-
factor authentication. There is no master password to be stolen.

~~~
oarsinsync
Multi-factor means more than one factor.

Something you have + something you know are multiple factors.

There should still be a password. If there isn't, then it's single factor
auth.

Also, SAASPASS looks _really_ interesting. Thanks for sharing. Going to take a
much deeper look into this now.

EDIT: Nope, change of plans. The account recovery flow depends on SMS, which
isn't safe given how easy SIM-jacking is: [https://saaspass.com/how-to-
recover-saaspass-id-account/](https://saaspass.com/how-to-recover-saaspass-id-
account/)

~~~
notlukesky
Actually not. There is account recovery options that include a separate custom
question and answer (password let’s say), and also the option of cloning it
from another device as well. Those two different methods mitigate against SIM
jacking.

~~~
oarsinsync
See this link from today:
[https://news.ycombinator.com/item?id=22016212](https://news.ycombinator.com/item?id=22016212)

The parent's whole point was that this service doesn't have a master password.
Nope, instead it has a 4 digit PIN and SMS as it's base flow, with security as
an optional extra.

A password manager shouldn't need to be caveated to be recommended. It's too
important for that.

------
sykonami
Can anyone please explain to me how all this ransomwares work? Ok, they send
infected email, some worker opens it and what next? How did it manages to
encrypt every other computers on the network? Isn't it should have root/admin
privieleges to do such thing? And why is it so hard to prevent? I would really
appreciate any answers.

~~~
DownGoat
The gist of it is gathering credentials from the initialy compromised
machines, and using them to access other computers on the network. A lot of
this is possible because of the way Windows handles authentication between
computers. Mimikatz is a tool that really made this method of lateral movement
much easier for attackers, and Microsoft has been slow to adapt defences. Over
time the attackers will eventually gather some admin credentials, and then it
is really game over.

It is hard to defend against, unless you want a system that constantly prompts
you for your password everytime you want to do something. Frequent password
prompts is not really good for security either. Current mitigations really
just slow down the attacks and gives you time to respond. If they are left
alone they will manage to gather credentials over time.

[https://github.com/gentilkiwi/mimikatz](https://github.com/gentilkiwi/mimikatz)
[https://www.sans.org/reading-
room/whitepapers/detection/mimi...](https://www.sans.org/reading-
room/whitepapers/detection/mimikatz-overview-defenses-detection-36780)

~~~
mox1
The "mimikatz" problem (aka memory protections on the lsass.exe process) has
basically been solved by Microsoft, they call it "Credential Guard". It works
by doing some trusted boot stuff and using the hyper-v hypervisor to protect
certain regions of memory from even the OS itself.

It's pretty complicated and requires server 2016 or windows 10. More info here
- [https://docs.microsoft.com/en-
us/windows/security/identity-p...](https://docs.microsoft.com/en-
us/windows/security/identity-protection/credential-guard/credential-guard)

~~~
Stierlitz
@mox1: ‘The "mimikatz" problem (aka memory protections on the lsass.exe
process) has basically been solved by Microsoft, they call it "Credential
Guard". It works by doing some trusted boot stuff and using the hyper-v
hypervisor to protect certain regions of memory from even the OS itself.’

How about running the OS in a Virtual Machine, that evaporates on exit and you
get a new clean image on each invocation.

“All the King's horses and all the King's men couldn't put Humpty together
again”

------
Neil44
This is a common story with breaches, you often don’t find out about it till
they’ve finished with you. It’s pretty scary. If you don’t have someone good
who’s attention is on this then you’re open to being blindsided.

------
jxramos
> Moral of the story: Companies that experience a ransomware attack — or for
> that matter any type of equally invasive malware infestation — should assume
> that all credentials stored anywhere on the local network (including those
> saved inside Web browsers and password managers) are compromised and need to
> be changed.

------
C14L
I think this article just convinced me to get a Yubikey...

~~~
Filligree
I attempted to use a Yubikey with GitHub, but when I tried to enable it,
Windows gave me an on-screen "soft" 2F dialog instead of making any use of the
device at all.

Seems related to something called "Hello"? Either way, I haven't found a way
to disable it. Caveat emptor.

~~~
Fnoord
With which browser?

~~~
Filligree
This was a while ago, so I don't quite remember. Either Chrome or Firefox.

------
coldcode
Most of these tools exploit Windows. I never hear of any wholesale ransomeware
attacks on companies with pure MacOS and/or Linux desktops (yes I know there
are occasional individual apps that are malware but not ransomware).

~~~
roel_v
How many of those companies are there?

------
quack01
Ransomware - one of the last steps in a breach.

