Full Report
Cody Smith* // As information security professionals we’re not invincible to breaches. Even the most robust security system can’t make up for a lack of user education, which I was […] The post My Ransomware Post-Mortem appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Incident Report: Osiris Ransomware Infection via Phishing
## Executive Summary
A single user in a Small Office/Home Office (SOHO) environment fell victim to a targeted phishing email leading to an Osiris ransomware infection on their workstation in December 2016. The attacker gained access by tricking the user into enabling macros in a malicious Microsoft Office document masquerading as a FedEx delivery notification. Due to robust backup strategies and network segmentation, the impact was limited to the single infected machine, allowing for a rapid recovery.
## Incident Details
- Discovery Date: Late Sunday night (December 2016)
- Incident Date: Late Sunday night (December 2016)
- Affected Organization: Client of an unnamed security professional/consultancy
- Sector: Undisclosed (SOHO)
- Geography: Undisclosed
## Timeline of Events
### Initial Access
- Date/Time: Late Sunday night, December 2016
- Vector: Phishing via email, social engineering.
- Details: The user received an email, purportedly from "FedEx," claiming a package delivery failure. The user was coincidentally expecting a FedEx package. The user opened the attached Microsoft Office document, enabled its macros upon prompt, which then executed the ransomware.
### Lateral Movement
- **None observed.** The segmentation of the network successfully prevented the ransomware from propagating beyond the initial host.
### Data Exfiltration/Impact
- **Impact:** The user's local files were encrypted by the Osiris ransomware, evidenced by garbled filenames ending with the `.osiris` extension and modified file icons.
- **Scope:** Limited strictly to the single end-user workstation.
### Detection & Response
- **Detection:** The user manually reported the issue late Sunday night, observing that their files were inaccessible and renamed.
- **Response Actions:** The analyst immediately prepared forensics gear (MacBook Pro, Kali Linux machine) and responded on-site. Recovery involved restoring files from verified, off-site backups.
## Attack Methodology
- **Initial Access:** Social Engineering via targeted phishing (spear-phishing) delivered through a seemingly legitimate Microsoft Office macro-enabled document, confirmed by user enabling macros via UAC prompt.
- **Persistence:** Not explicitly detailed, but standard ransomware payload execution occurred.
- **Privilege Escalation:** Not explicitly detailed, implied elevated permissions were obtained to encrypt local files.
- **Defense Evasion:** The attack leveraged user trust and the common practice of enabling macros in documents when prompted.
- **Credential Access:** Not explicitly detailed.
- **Discovery:** Not explicitly detailed regarding internal reconnaissance, but the immediate execution was file encryption.
- **Lateral Movement:** None observed due to preventative network segmentation.
- **Collection:** Local file system traversal for encryption targeting.
- **Exfiltration:** Not mentioned as an objective or successful step in this report.
- **Impact:** Data destruction/denial of access via file encryption using Osiris ransomware.
## Impact Assessment
- **Financial:** Not quantified, but recovery was rapid the following day.
- **Data Breach:** Local machine files were encrypted; specific volume or sensitivity not stated.
- **Operational:** Minimal operational downtime; files were restored the day following discovery.
- **Reputational:** Not mentioned.
## Indicators of Compromise
- **Network indicators:** (None explicitly listed, defanged IPs/URLs are not available in the source text)
- **File indicators:** Files renaming with the `.osiris` extension.
- **Behavioral indicators:** Successful execution upon user enabling macros in an Office document.
## Response Actions
- **Containment:** Limited to the single infected machine (implied by the immediate on-site response tailored to a single host).
- **Eradication:** Not explicitly detailed, but the focus shifted to recovery.
- **Recovery:** Restoring the 64GB of affected data utilizing the weekly off-site backup stored in AWS S3/Glacier tiers, with the S3 backup being used for rapid restoration the next day.
## Lessons Learned
- User education remains the weakest link in IT infrastructure, despite having robust technical controls.
- The analyst took full responsibility for the breach due to the failure in end-user education regarding recent threats (macro-enabled documents).
- The Osiris ransomware exhibited specific faults (e.g., missing encryption of .jpeg or .pdf files, incomplete note placement) that aided cleanup.
- Effective, multi-tiered, off-site backups (local NAS -> S3 -> Glacier) were crucial for successful recovery.
- Network segmentation proved effective in limiting blast radius.
## Recommendations
- Implement local policy controls to thwart the ability to run macros in Office Documents automatically.
- Implement local policy controls to prevent execution of binaries/scripts from the `%Temp%` directory.
- Enhance user education immediately, sending out warnings about current phishing threats like macro delivery mechanisms.
- Conduct internal security tests (e.g., sending simulated phishing emails) to gauge user awareness and identify high-risk users.
- Regularly test backup restoration procedures to ensure viability and speed.
- Rigorously enforce the principle of least privilege, especially concerning file share access.