• Casino Ransomware Attacks

  • Casino ransomware attacks have been making the headlines lately. Our very own CEO, Catherine Sullivan, was recently interviewed by News 9 in Oklahoma City about the impact of ransomware on the average consumer.

    We have worked a number of related ransomware and other incidents with casinos and there’s many similarities from a security perspective. One of the things to keep in mind is that it’s no one person’s fault when an organization gets breached. As much as the high profile companies like to accuse one person, such as an intern, about making a critical mistake that resulted in an incident, that’s never the case.

    Breaches are the result of a break down in policy and procedure somewhere within the organization.

    Attacking a Casino

    In most casino heist movies it starts with a thorough understanding of how the casino operates and where the gaps are in security. The thieves then formulate a plan of attack based on the observed security weaknesses, then go about gaining access, acquiring the money, and finally making their exit.

    If they are good, their tracks were covered well and they never get caught. That’s extremely difficult to do today. Physically robbing a casino is nearly impossible to get away with.

    Why is it so difficult to physically rob a casino? Surveillance and security guards. The surveillance starts when you enter the parking lot. Some casinos have cameras to observe the parking lot and other have guards patrolling the parking lot.

    The surveillance doesn’t stop there. Inside the casino there are a multitude of cameras throughout the casino and more guards patrolling the floors. This is what makes robbing a casino in person nearly impossible to get away with. The physical security is extreme and casinos have matured the physical security over time.

    Attacking a Casino Network

    Similar to how obtaining an understanding how the physical security operates and where the gaps are, attackers also perform recon on their target in preparation for their attack.

    These activities include:

    • Scanning the Internet facing casino network looking for vulnerable systems and services to exploit and gain access.
    • Testing the casino email systems to see what types of messages and attachments can pass through without being blocked.
    • Researching the casino staff and preparing pretexts in order to social engineer them into clicking on phishing links or downloading malware that gives the attackers access.

    Similar to having guards and cameras in the parking lot, you can also defend this reconnaissance activity by having intrusion detection and intrusion prevention countermeasures in place to alert you when you are being scanned by an attacker.

    Once the attackers gain access, the following activities usually take place:

    • Escalate to administrator level privileges by using credentials that were phished, or an exploit that results in the desired access.
    • The attackers start looking for backups to delete or encrypt that are on the network.
    • The attackers start looking for who the stakeholders are and the financial data that may be accessible. The financial data gives the attackers an indication of what the victim is capable of paying from a ransom perspective.
    • The attackers then stage their malware to encrypt data at a time when it’s least likely they will be detected. This is usually on holidays or weekends.

    How Attackers Go Undetected

    The majority of the incidents we have worked that involved ransomware have a lot of things in common:

    • Vulnerable Internet facing systems and services that were exploited.
    • Email systems with no phishing or anti-malware in place.
    • No outward bound firewall rules. This allows an attacker to reach back out to the Internet and install additional malware or perform command and control activity.
    • Malware defenses are not optimized for this type of attack.
    • Intrusion detection, monitoring, logging, and alerting is not in place.
    • Security is part of the IT activities and no priority is given to security.
    • The IT and security staffs are very lean for a 24x7x365 operation that is a high value target.

    The attackers objectives are to perform reconnaissance, gain access, pillage the network for high value data, delete any backups, encrypt the data. They also exfiltrate copies of the data from the victim organization with the threat of sharing it on the dark web.

    Ransomware and Your Data

    When your data is encrypted the only chance of recovery, if you don’t have backups, is to pay the ransom and obtain the decryption key. There are some things to keep in mind about the decryption process:

    The decryption process may be slow, really slow. So slow that it’s not worth paying the ransom.

    The ransomware may have used a unique key to encrypt every instance of data you have. For example, if you have 1500 word documents, there will be 1500 different decryption keys.

    Ransomware attackers are double encrypting data. What that means is when you decrypt your data, it’s still encrypted by an alleged other ransomware attacker. They’ll help you sort that out for an additional cost.

    Decrypting and recovering your data is only part of the problem. The security of your network and systems needs to be addressed. Attackers could have easily planted a backdoor and will attack your organization again in a matter of weeks.

    Securing a Casino Network

    Casinos should take notes from their physical security and apply it to their network security.

    For example:

    Having intrusion protection, intrusion detection, along with threat intelligence is similar to monitoring the parking lot looking for bad things before they happen.

    Have properly configured anti-malware, host based intrusion detection, strong passwords, and logs from critical systems sent to a SIEM or user behavior analytics systems where the logging monitoring, and alerting will happen for activity on the internal network. This is similar to having surveillance cameras on the network.

    Maintain and staff a 24x7x365 security operation center to respond to events and incidents. This is similar to having the guards patrolling the floor and monitoring the cameras looking for bad things that are happening.

    Create a formal information security program and place someone in charge of security like a CISO. The CISO will drive security for the organization and align security with the business objectives.

    Perform periodic penetration testing to see how network defenses work against a potential attacker.