Assessing The Ransomware Threat On IBM i
April 10, 2017 Alex Woodie
How would you like to be given the choice of paying a $200,000 ransom or having your server down for a month? Those are real outcomes from two recent ransomware attacks on IBM i servers, which cybercriminals may be starting to target.
“We certainly have seen a trend recently in malware and specifically ransomware, just based on the fact that now people have figured out how to monetize infecting your server,” says Robin Tatam, director of security technologies for HelpSystems and its PowerTech subsidiary. “There’s certainly an increased prevalence of that.”
Windows malware, in particular, poses a serious threat to the IBM i server, and it is allowing cybercriminals to extort large sums of money from IBM i shops by holding their data for ransom. While the IBM i operating system will not execute Windows malware in the traditional sense, its Integrated File System (IFS) can store and distribute Windows malware – including encryption-wielding ransomware strains.
Unfortunately, because the IFS appears to the outside world to be just another Windows file system, any data stored in libraries or folders on the IFS is subjected to the same threats as data stored in a Windows server.
The end result? If you or your users have mapped a drive from their PC workstation into the IFS, then any random piece of malware that lands on the PC can squirrel its way back into the IFS and do some damage, including encrypting the data, the chosen weapon of the ransomware criminal.
The threat for IBM i shops is very real, and it is well documented. Sandi Moore, an IBM i security consultant working with HelpSystems, shared information about two recent ransomware attacks on IBM i shops during a recent webinar.
“What happened to one company was a very unfortunate experience and it definitely caused some serious damage,” she says. In fact, it was a “perfect storm” type of setup. Here’s what happened:
One Friday afternoon, one of the company’s users inadvertently infected his or her PC with a piece of malware by clicking on a malicious email (whoops). Unfortunately, the user had ALLOBJ authority and a mapped drive to a shared folder on the IFS (double and triple whoops).
“With the mapped drive, the virus had free rein for the entire weekend over this customer’s IBM i,” Moore says. “They had 500,000 files encrypted on their system. It actually got to the point where it brought down TPC services. Nobody could sign on. Batch jobs halted because the files in the IFS that those batch jobs were using were no longer available because they were encrypted.”
The IFS scan from the Bytware Anti-Virus software shows nearly 250,000 infected viruses on the IBM i server of this company, which took nearly a month to recover.
When work resumed the following week, administrator realized something was very wrong. “When we finally helped them get the system scans, we found 248,000 infected files,” Moore says.
This particular customer decided not to pay the cybercriminals who had launched the attack, and instead sought to rebuild the system from backups. “They had good backups before the encryption and ransomware hit, so they were able to restore it,” Moore says. “Their system was rendered completely disabled. It took then a better part of a month to actually recover and get the system back up and working again to full capacity. It’s a worst case scenario but it’s very possible for it to happen given the state of security on many systems.”
However, some IBM i shops are choosing instead to pay the ransom, with the hope that the cybercriminals will honor the payment, which is usually made via untraceable bitcoin. “We had another customer who was desperate to get their files back and they actually paid the ransom of $200,000 to get the encryption key to have access to their files again in their IFS,” Moore says.
While paying the ransom to unlock the data is common, such large ransoms are rare. According to an IBM Security report from last year, 70 percent of businesses impacted by ransomware capitulated to cybercriminal demands, and paid an average of about $10,000 to regain access to data and systems.
Most of the time, the ransom requests are smaller. “It’s what you expect because they’ve got you over a barrel,” Tatam says. “They know you’re likely to pay $2,000 or $5,000 when they give you a time limit. They’re creating a sense of urgency.”
There have been reports of IBM i pros dealing with targeted ransomware attacks at their shops. In many cases, they respond by finding alternatives to using mapped network drives.
Getting rid of ALLOBJ authority in regular user profiles is also a good idea. If the user with ALLOBJ has wide-open access to the IBM i server and the IFS, then so does any piece of malware that weasels its way onto that user’s PC.
If you see a screen like this appear on your PC, then you’ve been hit by ransomware.
Ransomware wouldn’t have much daylight to work with in a properly configured IBM i environment. But the reality is many, if not most, IBM i shops fail to property configure their servers, leaving layers upon layers of theoretical protection wide open for clever cybercriminals to exploit.
“Two hundred users on average are running with ALLOBJ, which is basically root-level access. They can do anything,” says Tatam, quoting per-shop figures from PowerTech’s annual State of Security report. “They have ALLOBJ more often than they don’t.”
Most ransomware is delivered via spam emails, according to IBM, so it’s not surprising to see that the number of spam emails spiked by 400 percent in 2016. Big Blue says about 44 percent of all spam contains malicious attachments, with ransomware accounting for 85 percent of those malicious attachments.
Some shops are focusing on end-user training as another way to thwart ransomware attacks. In 2015, United Computer Group partnered with KnowBe4 to help train users not to open attachments or click on links in suspicious emails. “Hover before you click” is the operate phrase reminding users to verify that a link actually goes to where it says it does and the URL isn’t spoofed. (The process of mobile users is a little more daunting; it involves holding the potentially dangerous link down long enough with your finger before a window pops up with the actual URL.)
Like ordering pizza? Then you’ll love ransomware.
If you’re hungry for work and have no moral qualms about stealing from others, you’ll be glad to know that launching a ransomware attack today is as easy as ordering a pizza. That’s according to Paul Kurtz at Dark Reading, who looked into the latest ransomware-as-a-service offering known as “Philadelphia.”
“The criminal developers behind Philadelphia even had the heart to offer a ‘mercy’ feature should a victim plead for access to ransomed family photos of lost family and friends,” he writes.
IBM i shops aren’t likely to see any mercy for their encrypted business documents. And when you consider the collective yawn that that emanates from the IBM i community about security – despite all the commotion that IBM i security professionals make about the importance of properly configuring the platform – as well as the apparent inability of users to not click on infected attachments in email, it seems clear that cyber thieves will continue to exploit this lucrative new line of business.
“Cybercriminals continued to innovate in 2016 as we saw techniques like ransomware move from a nuisance to an epidemic,” said IBM Security vice president of threat intelligence Caleb Barlow. “The value of structured data to cybercriminals is beginning to wane as the supply outstrips the demand. Unstructured data is big-game hunting for hackers and we expect to see them monetize it this year in new ways.”
The FBI said last year that cybercriminals were on pace to pull in about $1 billion for the year through their ransomware scams. When you consider that an Imperva survey at the recent RSA 2017 conference showed 32 percent of companies were victims of ransomware, then it would appear that ransomware revenue is set to soar in 2017. Hopefully none of it comes from you.
RELATED STORIES
Keeping Ransomware Out of the VAULT
So you are saying if we access the IFS using UNC path, that reduces the risk versus “mapping a drive”?