MINAF (Ministerio de la Alegría y la Felicidad / Secretary of Joy and Happiness) needs your help!. As part of the governmet reorganization, MINAF took under its wing several organizations related to its main function (make all people who live or travel to Spain happy). One of these organizations is called FFP (Federación de Festejos Patronales / Patron Saint Federation), the ones who organize cellebrations in small towns all around the country. The merge has been... problematic. Poor security standards plus lots of political innuendo is a recipe for disaster, and MINAF has finally (and awkardly) absorbed FFP.
Half past three in the afternoon is never a good time for a security alert. And if it's related to ransomware, much less so. Angela de la Guarda (MINAF's CISO) watches in horror as alerts start to pop up from one of her many (honey|booby)traps: "Something" is disabling the antivirus on her computers, a TTP widely used by HOR (Human-Operated Ransomware).
Acting swifly, Angela launches the emergency protocol designed for these cases: the incident is communicated through the IM crisis group, internet connection is severed, , snapshots for all VM are launched, and backup machines are promptly shut down. Triage data and RAM dumps are quicky obtained for several key systems. Fortunately most of the civil servants are already at home, so the operational impact is minimal. Nonetheless, this is a severe security incident that must be throughly analyzed, contained and erradicated.
Basic info
MINAF (Ministerio de la Alegría y la Felicidad / Secretary of Joy and Happiness), as all of Spain public administration sector, has undergone a massive overhaul of its IT systems (spearheaded mainly by its Digital Transformation initiative). All its endpoints are Windows 10 based, with monthly full patch deployment and daily updated antivirus. Servers totality migrated to Windows 2016 Server, also fully patched and with a solid backup strategy. There is an IDS/network monitoring system deployed (Suricata/Bro combo), and a Sysmon+ELK SIEM is in its testing phase. Best security practices are followed, and MINAF hopes to be ENS (Esquema Nacional de Seguridad, Spanish main security standard for public administration) certified by the end of the year.
On the other way, FFP has ... relaxed security standards. All the computers are Windows 10 a mix of Windows 2012/2016 Servers, but the system administrator have not been following a strict update policy (both patches & AV). Hardening is next to inexistent, and all security meausres are flaky at best.
Evidences
MINAF CISO gives you these evidences:
- https://ctf.unizar.es/ransomware/data/DC.zip : Domain controller triage data
- https://ctf.unizar.es/ransomware/data/mem_dc.zip : Domain controller RAM dump (zipped raw)
- https://ctf.unizar.es/ransomware/data/DC_disk.zip : Logical dump of disk C: (Domain Controller)
- https://ctf.unizar.es/ransomware/data/W10-PC3.zip : PC3 triage data
- https://ctf.unizar.es/ransomware/data/mem_W10-PC3.zip : PC3 RAM dump (zipped raw)
- https://ctf.unizar.es/ransomware/data/W10-PC5.zip : PC5 triage data
- https://ctf.unizar.es/ransomware/data/mem_W10-PC5.zip : PC5 RAM dump (zipped raw)
Here you have the hashes for all the collected evidence:https://ctf.unizar.es/ransomware/data/hashes.txt
[Note0]: Triage data has been acquired with https://github.com/orlikoski/CyLR/releases/download/2.1.0/CyLR_win-x64.zip CyLR. RAM dumps are courtesy of https://github.com/google/rekall/releases/download/v1.5.1/winpmem-2.1.post4.exe Winpmem
[Note1]: The flags are all case-insensitive and must be answered in plaintext (oldschool guy here).
[Note2]: Any evidence you find before November 9, 11:30h UTC must be discarded because it's not related to our case.
Your mission
Ransomware attacks are very serious stuff, and must be contained and erradicated with extreme prejudice. These are your objectives:
- Determine the ransomware that has affected MINAF, and delive IOC that allow IT to verify if a computer is clean or has been compromised.
- Obtain the entry vector used by the attackers
- Follow the digital fooprint of the attackers, and guess all the TTP used to attack MINAF.
Made by
This challenge has been made by Antonio Sanz (@antoniosanzalc), with support from DIEC (Telecommunications Engineering Department) at University of Zaragoza. Extra large thanks go to José Luis Salazar (crypto man) and Alvaro Alesanco (network and medical devices security guy), professors from DIEC/Unizar for their support.
Play, learn, share & have fun!