Ransomware has become the scourge of the Internet. It’s so common that it no longer makes the news. In fact, it’s predicted that a business will fall victim to a ransomware attack every 14 seconds by 2019.
The number of ransomware trojans continues to increase in complexity and sophistication. The most dangerous families of ransomware include CryptoLocker, Locky, Cerber, WannaCrypt and CryptoXXX. The majority of these affect Windows-based systems but some, like Lockscreen, target the mobile Android operating system.
The evolving nature of the threat makes malware attacks very difficult to counter.
Regardless of the type of malware, they all have the same objective to encrypt or disable access to the files on a computer, or the network it is part of, and then demand payment for their recovery.
Overseas, cybercrime labs often have budgets as large or larger than the amount of dollars an Enterprise spends annually on security. Ransomware is just one of many approaches, hackers use to take advantage of vulnerabilities.
Security analysts estimate that over 75% of hacking related breaches are because of stolen or weak passwords. Other attack vectors include vulnerabilities exposed in a web application, open or insecure network ports and email-based phishing.
These are all sobering data points, whether you’re a large Enterprise or SMB. The impact of breaches can be highly damaging - payments, lost data, productivity impacts and more.
Although the different kinds of malware attacks have existed for years, the success of the latest crop of variants is due to improved techniques and technology. Machine learning and other heuristics help hackers learn about network and people patterns. This is very different from prior methods, like looking for flawed encryption implementations, because skilled IT resources and improved security software can detect and disable/or prevent attacks before they cause damage.
While there are many types of vulnerabilities that hackers focus on, this document will discuss Ransomware. How it occurs, ways to prevent and how to mitigate after a successful ransomware penetration.
Prepare for the Worst
Computers and networks are often, initially penetrated through a malicious email, attachment, embedded link or compromised website. Ransomware trojans are disguised as eMail from a reputable organization, an enticing web form or someone from your contact list. Once the user clicks on a link or provides requested authentication information, the trojan is off and running and the Ransomware attack is initiated.
Ransomware falls into the broad category of malware. The definition of malware is to damage or disable a computer or computer system. One scenario of Ransomware, the attack disables access to systems by encrypting files. The attacker then demands a ransom in exchange for a key to decrypt the files and regain access. Another scenario in the Ransomware attack is to simply locks one or more systems, so they can’t be accessed.
Today’s cybercrime organizations are businesses with customer support and payment plan offerings. These are criminal organizations that should not be trusted, there is no guarantee the decryption or access key will work. There are reports of multiple ransom attacks planted at the time of the first attack. A group of trojans hidden inside the original trojan. These are initiated over time allowing the attacker to extort a company again and again.
Unfortunately, there’s no silver bullet or single solution that can stop this type of attack, despite security company claims to the contrary. This leaves two options. The first is to pay the ransom which most all security experts advise against.
The second option is to use a multi-layered approach to make it more difficult for Ransomware and other attacks to succeed. Implement a security management practice that includes:
- Regular patching of all systems, services and application software, including device firmware.
- Ensure that anti-virus and intrusion prevention software is installed and managed.
- Integrate regular PEN tests, parse code to identify vulnerabilities and security bug bounty programs into your security management practice.
- Perform regularly scheduled, full backups, automate, as much as possible.
- Lock down data access to ensure users who shouldn’t have data rights, don’t.
- Default to read only file access for most users. Manage file access types.
Given how many ransomware attacks succeed, educating staff to detect phishing and related attempts to penetrate the network is a must. Studies show 70% of business users worldwide will click on email links regardless of the sender. After training, the number goes down to 50%.
Ransomware authors continue to get smarter. Their attack software can include routines to find and delete or encrypt backups. This means organizations can’t rely on backups as a response tactic, post-infection.
Security management practices should include attack response protocols that address the common types of attacks and standard steps to identify and remediate. The approaches above are not exhaustive but implementing these have help companies that have been penetrated and attacked, recover.
Once the ransomware is installed, it calls ‘home’ to servers run by the attacker to obtain encryption keys. This uses a standard Internet connection and usually relies on websites which have been already hacked to mask the identity/location of the attacker.
Once encryption keys have been obtained, the ransomware then begins encrypting files, both on the local device and on any connected shared drives. Any files which the user/computer has access to, can be encrypted if permissions are not properly set.
To best manage expectations, recovering data encrypted by modern ransomware trojans is basically impossible. This is true even with the assistance of forensic experts. Encryption flaws do occur, but this is the exception.
Proactive measures reduce the likelihood of an attack being successful but there is no guarantee. Once attacked, it’s important to notify local authorities and the FBI. If you work with a security firm, get them involved immediately. There are firms that have experience and specialize in dealing with these types of attacks.
Paying the ransom is, unfortunately, often the only viable option. This depends on several key attributes:
- how much damage the attack inflicted
- the value of the inaccessible data
- how long it will take to recover through alternative means
- management policy
- the ransom amount
The caveat here is that there’s no guarantee that paying the ransom will get you a working decryption key. Your dealing with criminals who may not honor the payment. Bitcoins are often the currency of choice for situations like this since they’re hard to track.
If your network is compromised, the first step towards recovery is to isolate the infected machine(s) from the network, disable all shared drives and identify the source of the Ransomware infection. Next, update your security software and run a full scan of your network. The infected machines can then be wiped and, if possible, restored from a backup.
Ensuring that there is no further malware on the network is vital for avoiding further outbreaks. To limit future damage to data stored on network shares, map these as local drives only when absolutely required.
The following is a scenario one impacted firm followed post infection. This is provided as a case study and should not necessarily be considered a best practice or sole approach.
- Immediately take everything offline to isolate the infected environment.
- ‘Go to’ the datacenter and physically disconnect all potentially infected servers from the network.
- Contact your security provider to get their resources involved.
- Install multiple layers of security software on all desktops and laptops for endpoint protection. The same should be considered for mobile devices.
- Installed multiple layers of security software on infected machines after a forensic image is taken.
- Reprogram all Firewalls to remove any type of Remote Desktop connectivity.
- Determine the ransomware variant and see if a decryptor is available.
- At this point, it is likely that the hacker has reached out with a demand for payment, usually on bitcoin.
- This is not a recommendation but now is the time to consider paying the ransom.
- Have the engaged 3rd party security firm communicate/negotiate with the hacker and perform forensics.
- If management has decided to pay the ransom, do so to receive the decryption keys.
- Continue to run security audit tools on affected machines for deep forensics investigation.
- Use the keys to, hopefully, restore machine and data access
- Finish forensics analysis to determine if there’s evidence of any deeper risk
- Using a two-pronged strategy, rebuild the impacted environment. This is only done in a corralled, isolated environment. Remember that the backups may be infected or damaged in some way so ensure they are unaffected.
- Test the restored environment.
Once the problem has been resolved, it’s important to review and update existing security procedures and software. Start with a retrospective to understand how the team responded, what went well and what didn’t. If there are no published security procedures, this is the time to create them. Use your 3rd party security advisors to help do this. Don't wait to find a security advisor after you have been attacked. Research security firms as a part of your go forward security management practice.
Ransomware, malware and other types of attacks aren’t going away any time soon. In fact, it doesn’t take much effort to search the web (dark or otherwise) to find a firm advertising their malware services. The fees are quite low.
Strengthening your security management practice with the steps above, will help minimize your exposure to malware and maximize your response management. Use tools to help discover where vulnerabilities exist and eliminate them. Make sure you have documented guidelines to deal with attacks and embed them in your security management practice.