Cybersecurity is a major concern for most organizations, and hearing stories of companies falling victim to ransomware attacks only makes it more concerning. At INFOCUS Envision, Syntax’s Matthew Rogers, Michael Guerra, and Chris Garner presented on how to recover from and prevent ransomware attacks for JD Edwards.

About Syntax

Syntax was founded in 1972 in Montreal, Canada. The team has over 45 years of experience with ERP and ERP-related technologies. Syntax is a full-service Cloud Managed Services and Disaster Recovery provider focused on JD Edwards, E-Business Suite, and SAP. Syntax’s Cloud solutions include public, private, and hybrid cloud featuring AWS, Azure, and Oracle. Their ERP solutions include hosting, managed services, consulting and professional services, application managed services, and managed security services. Syntax is a global company with offices and data centers in North and South America, Europe, and Asia.

Today’s Cybersecurity Landscape

In today’s world, hackers are more targeted, advanced, and stealthy than ever before. Zero-day exploits occur on the same day that a weakness is discovered in the software/firmware. They don’t have known anti-virus signatures, making them tough to detect with no vendor fix. Determined threat actors and advanced persistent threats (APTs) can be patient and resourceful in their efforts to evade defenses.

When hackers are finally successful in gaining access to systems and networks, standard security solutions often “fail silently” – unable to detect an intrusion and alert someone. Hackers come through the virtual private network (VPN) and don’t stop at the endpoint. It’s becoming a real cat and mouse game, and remote work is only making it harder.

Challenges of a Global Pandemic

Due to the global COVID-19 pandemic, a majority of today’s workforce is remote. The pandemic has created new opportunities for cybercriminals. Access to corporate resources remotely through VPN has traditionally led to stricter remote access policies, but the shift to remote work has resulted in more permissive VPN access policies. This has created security risks that indirectly compromise corporate networks.

What Is Ransomware?

According to Chief Security Officer (CSO) Magazine, “Ransomware is a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment. Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.”

Attackers wait at least three days after breaking into a network to identify “crown jewels.” They leverage these to demand higher ransoms and make more profit. Malicious actors are able to identify important assets, and bad actors attack outside of normal business hours. Hackers time their attacks so response and remediation will be slower.

There is a multitude of strains of ransomware, but the top 10 strains identified by the Computer Business Review (CBR) include:

1. STOP (DJVU)
2. Dharma
3. Phobos
4. Globelmposter
5. REvil
6. GandCrab
7. Magniber
8. Scarab
9. Rapid
10. Troldesh

One of the biggest ransomware attacks in the news took place in 2017. WannaCry infected computers in May 2017 and appeared on government networks in the UK and Russia. Malware demanded $300 in bitcoins from its victims, but users reported that they did not receive their data, even after paying the ransom.

Part of the threat is the large amount of free, commoditized ransomware kits that are available on the dark web.

Some products that can help mitigate these threats include:

• Network mapping: A port scanning tool that searches the network looking for open ports and devices.
• Web vulnerability scanners: These scanners find flaws in a website that will allow unauthorized access to the server.
• Tool collections: Take a little education and can be scripted to create customized tools.
• Password crackers: Sophisticated and fast; help bad actors find the easy way into networks and their data.

Impacts of Ransomware

Ransomware attacks increased 715% year over year, and ransomware incidents exploded in June 2020. Through ransomware comes data breaches. Some examples of data breaches that Syntax walked through included:

• Large hotel chain
  • Hackers obtained employee login credentials of a large hotel chain by credential stuffing or phishing
  • Hacked employees had access to customer information
  • Hackers used that information to siphon off the data for a month before the breach was discovered
  • 500 million guest records were exposed
• Large healthcare company
  • Hackers first installed malware to steal employees login credentials
  • Hackers leveraged a phishing scheme to gain access to systems
  • Sent out a phishing email by impersonating a customer before deploying a ransomware attack
  • 350,000 patients were impacted
• Large retailer
  • A researcher emailed the director of information security at the retailed about a breach and the director said it was a scam
  • For 8 months, the company’s website was leaking customer records in plain text
  • Records could be indexed and crawled by automated tools with very little effort
  • 37 million customer records were exposed

These attacks have impacts on privacy, financials, and reputations of businesses. Josephine Wolff, a Tufts University professor, is quoted saying, “Making ransomware unprofitable is effectively the only way, short of coordinate global regulation of cryptocurrencies, to stop these criminals.” Essentially, she’s saying that not paying the hackers is the only true way to stop them.

The Department of Treasury actually regulates paying ransomware and threatens fines for those who pay. Companies that pay ransomware demands without a license or arrangement with the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) could face fines.

The Federal Bureau of Investigation (FBI) classifies ransomware as one of the fastest-growing threats as it is becoming more targeted, sophisticated, and costly. Robert Mueller, former FBI Director, stated, “For it is no longer a question of ‘if,’ but ‘when’ and ‘how often.’ I am convinced that there are only two types of companies – those that have been hacked and those that will be. And even they are converging into one category – companies that have been hacked and will be hacked again.”

JD Edwards Server Platform Preparation and Prevention

How can you best prepare your JD Edwards platform to prevent these ransomware attacks? Some steps you can take include:

• Installation of an Anti-Virus and Anti-Malware (AV/AM) across JD Edwards servers and complimentary product servers
• Apply periodic Critical Patch Updates (CPU) to address security vulnerabilities
  • Critical Patch Updates available on a quarterly basis
  • Prepare for and find Critical Patch Update Patches for Oracle Fusion Middleware (Doc ID 551453.1)
• Keep current with JD Edwards Tools Release Updates
  • A CPU is a collection of patches for multiple security vulnerabilities
  • Tools Critical Patch Updates (CPU) are rolled up into later Tools Releases

Responding to a Ransomware Attack

If you are unfortunate enough to fall victim to a ransomware attack, Syntax walked through a number of steps you will need to take:

• Analyze the attack and contain the incident
  • Ransomware will encrypt file system artifacts rendering these unusable
    • Media Objects
    • UBE PDFs and CSVs
    • Source, Header, DLLs, Java objects, etc.
    • INI’s, Licensed Fonts, Vertex ISAM Database
    • DB Backup Files: Oracle Dump Files, MS SQL Server Backup Files, E1LOCAL backup files, etc.
  • Virtual server backups/snapshots may be suspect
    • Malware present in a dormant state
  • Backups restored in a quarantined isolated network to run malware scans
    • Time-consuming process
    • Certify servers as clean – with as high of a degree of confidence as possible
      • Clean, quarantine, and collect artifacts
    • Rebuild servers from scratch with AV/AM (targeted priority Production)
      • Parallel effort to the above task

Backups you’ll need for recovery are the usual suspects:

• JD Edwards and Foundation Pre-requisite Product Installation Files
• Database Secure Backups or Database Mirroring
  • PRODUCTION-SET: PRODDTA, PRODCTL, PD9nn, SY9nn, OL9nn, DD9nn, SVM9nn
  • Non-PROD: CRPDTA, CRPCTL, PY9nn, TESTDTA, TESTCTL, DV9nn, PS9nnDTA, PS9nnCTL, PS9nn
  • Database system backups containing users, roles, privileges, etc.
• Deployment Server Virtual Server (or file system, E1LOCAL backup files, JDE/ODBC registry, INI)
• Enterprise (Batch/Logic) and Web Virtual Servers
• JDE Complimentary Product Servers
• INI Files, Fonts, Vertex ISAM: Enterprise Server, JAS, AIS/ORCH, BSSV
• Repository File System Folders (UBE Output, MO Artifact Output)

Syntax’s Experience

The Syntax team pulled together a bit about what they’ve learned throughout their experience with ransomware attacks and backups.

• JD Edwards and Foundation Product Installers tend to be scattered across servers or unavailable (e.g., Tools Release updates)
  • Syntax recommends the use of a Software Repository containing installers, TR’s, ESUs, etc.
• Database Secure Backups or Database Mirroring
  • Active-passive database (log shipping/transaction logs) whereby passive database is kept in sync and serves as a backup server
    • Significance: Passive servers with minimal use are less likely to be infected
  • AWS Cloud Oracle RDS/MS SQL Server RDS
    • AWS RDS type databases are managed by AWS (without OS-level file system access)
  • PRODUCTION-SET Schemas/Databases – Tend to be backed up daily
    • SCHEMAS/LIBRARIES: PRODDTA, PRODCTL, PD9nn, SY9nn, OL9nn, DD9nn, SVM9nn (with Tools 9.2.1.n or above)
  • Non-PROD – Backed up less frequently (Central Objects don’t match Object Librarian or System)
• Deployment Server – Backed up/Server snapshots

Restoring or rebuilding servers from scratch:

• Enterprise (Batch/Logic) and Web Servers – Backed up/Server snapshots
  • INI Files: Enterprise Server, JAS, AIS/ORCH, BSSV
  • Licensed Fonts
  • PATHCODE Import/Export Artifacts
  • Vertex ISAM – Not significant unless you utilize the Vertex Sales Registry
• JDE Complimentary Product Servers – Backed up/Server snapshots
• Repository File System Folders – Backed up/Server snapshots
  • UBE Output
  • Media Object Artifacts

Developing a Backup Strategy

Here are a few important questions to ask when developing your backup strategy:

• How does your backup strategy compare?
  • Frequency and retention
    • PROD vs. non-PROD (Can you afford to lose recent non-PROD updates?
  • Are you safeguarding your database backup files?
    • PRODUCTION-SET: PRODDTA, PRODCTL, PD9nn, SY9nn, OL9nn, DD9nn, SVM9nn
    • Non-PROD: CRPDTA, CRPCTL, PY9nn, TESTDTA, TESTCTL, DV9nn, PS9nnDTA, PS9nnCTL, PS9nn
    • Database system backups containing users, roles, privileges, etc.
  • Have you test-restored your backups to ensure they are viable?
  • Do you have a software repository containing your installers?
    • JD Edwards Installers
    • Pre-requisite foundation product installers (e.g., WLS/WAS/OAS, Visual Studio, etc.)
    • ESUs/Updates, Tools Releases, IDDA/POC fixes