Chatham County, NC, experienced a significant cybercrime attack. On October 28, 2020, county Management Information Systems (MIS) staff identified a ransomware attack on the county’s network. The attack used DoppelPaymer, a type of cyber-attack that starts by sending fake emails that look real but contain harmful code. When someone opens these emails or clicks on the links or attachments, the code is activated and downloads more dangerous software onto their computer.
One of these software programs, Emotet, connects to the criminal’s control center on the internet. From there, it can download even more harmful programs and perform different tasks.
In the case of the DoppelPaymer attack, the control center was used to download another type of malware called Dridex. This malware helped the attackers download DoppelPaymer or other tools that they could use to steal information and cause damage. These tools do things like stealing passwords, moving around inside the computer network, and disabling security software.
After Dridex is on the computer, the attackers don’t immediately start encrypting files and demanding money. Instead, they look for valuable information to steal. Once they find something valuable, they activate DoppelPaymer, which locks up the files on the computer and makes them unreadable.
To make matters worse, DoppelPaymer also changes the user’s passwords and restarts the computer in a special mode to block access. It displays a message demanding money and threatens to share sensitive information if the ransom is not paid.
DoppelPaymer also leaves additional programs on the computer to help it carry out its attacks. These programs can control and terminate certain processes and services running on the computer, giving the attackers even more control.
Once the attack was identified, the Chatham County MIS team isolated the affected systems and sought assistance from state and local agencies experienced in handling such incidents.
Forensic analysis revealed that the ransomware infiltrated the network through a phishing email containing a malicious attachment. Although the exact data accessed by the criminals could not be determined, a limited number of county systems were compromised.
The consequences of the attack were substantial, causing a loss of computer functionality, internet access, office phones, and voicemail. To mitigate the impact, the county obtained loaner laptops from neighboring counties, towns, and Emergency Management. Temporary internet access points and phones were provided by Emergency Management, while staff established temporary email addresses for internal communication and public access.
Efforts to recover from the attack were initiated immediately. Chatham Emergency Management played a crucial role in coordinating daily briefings with stakeholders throughout the first two weeks of the incident. The MIS staff, in collaboration with agency partners, undertook the task of completely rebuilding the county’s network infrastructure. Additionally, the county worked closely with software vendors to restore business systems to their previous state.
To ensure the eradication of the ransomware, servers and over 550 individual staff computers had to be wiped and reimaged, a time-consuming process but essential for restoring the integrity and security of Chatham County’s systems.
This incident should serve as a warning of the ever-present threat of cyberattacks and the importance of robust security measures to safeguard sensitive information.
Only a small fraction of attacks use previously unknown exploits that would be very difficult to protect against. 95% of attacks are the result of ‘human error’. Common errors are:
Misdelivery of information. Email systems now auto-suggest or auto-complete email addresses and sometimes people send to the wrong recipient. This can include confidential information. In one case, the NHS shared a list of HIV positive patients because they put the email addresses in the “to” field instead of the “bcc” field of the email. [Maybe we are all guilty of sending email to the wrong person. I know I have. Hopefully I have sent nothing confidential.] The nature of this type of mistake is that the sender might never realize it.
Weak Passwords. The most common passwords are “password”, and “123456”. Any word and number combination can be easily guessed. Although only the worst systems store passwords in plain text, a cybercriminal can steal the encrypted or ‘hashed’ list of passwords and then try millions of combinations on them, trying to get a match. Criminals can also steal lists of passwords and then look for your re-use of that password on another site. So, if you use the same password on an unimportant site, e.g. your access to a newspaper, and the same password for your bank account, the criminals can easily gain entry.
Failure to Patch and Update. Criminals share methods of attack. Once a company, like Microsoft or Cisco or Firefox, finds a weakness they will issue a patch or update their system to strengthen against that method of attack. But, you have to update your software with their patch. Some systems, like Windows, will warn you and ask you to update, or update automatically (if you allow it). Other software or hardware will not. You will need to proactively find out if there has been an update, download it, and apply it. The 2017 WannaCry ransomware software was successful on hundreds of thousands of computers, even though Microsoft issued a patch months earlier that would have blocked WannaCry.
Physical Security. Businesses can block physical access of criminals to physical devices in their building. However, employees can leave information, such as passwords or access cards in unsecure areas at work, at home, or at conferences. They can also allow access to strangers who may be ‘tailgating’ them through secure doors and gates.
Tim Steiner presented information about cybercrime at our Chatham Tech Talk in July. Tim is an ‘ethical hacker’ who runs a company that tries to break into his client’s computing systems and find the weaknesses before criminals find them.
Tim presented 3 practical steps for individuals to take:
- Use multi-factor authentication (MFA) when it is available, especially for important accounts. When logging on to a new computer, you will be asked for the code just sent to your phone or email account. This means that a hacker will also need access to another of your accounts or devices in order to break into your important account. Google Authenticator and Authy are other tools that can run on your phone and are even more secure.
- Use long, random passwords to make passwords impossible to guess. You never want to re-use them. Unless you have a photographic memory, you must record your passwords somewhere. Password managers can record all your passwords and generate random ones, storing them behind one password you must remember. Tim mentioned Bitwarden and KeepassXC. Bitwarden stores your passwords online and makes it easy to have your passwords available on your phone and computers. Offline storage, like KeypassXC, is slightly more secure, but you will need to backup the Keepass file yourself. [I use Keypass on my computer, and backup its database automatically with Dropbox (Google Drive will also work). I also have Keypass on my phone and occasionally update its database there. ] A physical device is even more secure. Onlykey is a USB device that also requires a password to gain access and, once unlocked, can provide the passwords to multiple accounts. OnlyKey is from Tim’s company and was developed in Chatham County.
- Avoid downloads and links that are not trustworthy. This includes documents and spreadsheets that can include macros that automatically run and could install malware. Also, be wary of downloading any file that might look safe but is an executable (.exe file extension). Don’t be fooled by phishing emails, that means do not click on links in emails from those you do not know. Also, it is possible to fool you by ‘spoofing’ where the email came from. If you think the link is important you can hover over it, right-click to copy it, and paste it into virustotal.com to check if it is malicious but be careful not to click to open the link accidentally.
Here is some of the software and services that Tim recommends. Most of these are open source, free, and have been thoroughly audited by independent experts:
Signal Messenger – Text and call others using Signal, which features end-to-end encryption, making it difficult or impossible for hackers or governments to listen to your communications.
Bitwarden – A free online password manager. It stores all your passwords behind one password you must remember. Allows you to access your passwords from multiple devices.
Brave Browser – Brave blocks all trackers and popup ads that appear on websites. You can control the amount of blocking. IT even includes a simple VPN. [I use Brave as my secondary browser. For example, I use it to browse Amazon so that Amazon doesn’t suggest every single thing I looked at every time I use Amazon. I have Brave set to also automatically wipe all browsing data from its history, cache, cookies, etc. every time I close it. I use Brave to test that web pages I created in my other browser actually load properly and are working merely based on a leftover artifact from something stored locally.]
Tails OS – A simple operating system for temporary, maximum security. It can be installed on a USB. The USB can be inserted into any computer. Rebooting the computer from the USB stick starts this operating system. Nothing is ever saved locally and the system includes the TOR system to obscure you and your location when you access the internet. These features are what journalists or activists in dangerous locations would use to hide any trace of their activity.
ProtonMail – Email by companies like Google and Microsoft are not encrypted, are accessible by those companies, and are stored online. Civil and Criminal Courts and law enforcement can request all of your email. Hackers might also get access to your email in online accounts through some sort of data breach of Google or Microsoft. ProtonMail uses end-to-end encryption that means even Proton cannot read your email. Your recipient must have a password you previously shared to open the mail. Your emails are also set to expire. If both sender and receiver use ProtonMail, then the encryption and decryption are handled automatically. The system includes encrypted contacts and digital signatures.
ProtonVPN – A virtual private network (VPN) obscures where you are and anonymizes who you are when you are using the internet. This is not as important anymore as almost all web traffic is encrypted.
DuckDuckGo – This is a search engine that does not track you. Google and Bing keep track of your search history to provide you more effective searches and to more effectively advertise to you. Law enforcement and courts can request and get your search history from Google and Bing.
Veracrypt – This is encrypted storage. You run Veracrypt, point to a file, give it your password and then you get a drive on your computer into which you can store any sort of file, just as you can on any drive on your computer. When you close Veracrypt, all that anyone can see is a file with random data in it. [I have been using an old version for many years to store any tax files, or other such information that might be exploited if someone accessed my computer.]
CryptoMator – This is encrypted storage folder for that works seamlessly with online storage, like Google Drives and Dropbox
Here are Tim’s slides from his presentation.
Here is a video of the event, recorded and produced by Gene Galin at Chatham Journal.