By Chris Adams, Park Place Technologies
Little more than a year ago, the WannaCry virus held many of the world’s banks, government offices, and businesses for ransom. Today IT pros are still working to defend against this rapidly evolving threat. After all, no one wants to be locked out of their own systems until they pay a hacker.
Unfortunately, attempting to build an impervious shield around business, or for that matter personal, IT assets is as expensive as it is difficult. Given that ransomware was estimated to be a $1 billion industry back in 2016, rapid development in this malevolent field is basically inevitable. Most experts accept that some vulnerabilities to innovative, new malware will always remain.
That doesn’t mean taking things lying down, however. There are several strategies worth adopting to lower risk and maximize the chance of recovery. Ransomware protection is a modest but worthy investment to avoid paying off criminals down the road.
What is ransomware?
First off, what is the nature of the threat we’re facing? It’s actually broader than some may presume. Ransomware is an overarching term for any form of malware demanding payment, often in a cryptocurrency like Bitcoin, to undo the havoc a virus has wrought. Like most products these days, it comes in various flavors.
Encrypting ransomware is familiar from WannaCry. It uses public encryption key technology to block access to data. The unlock key is made available for a price.
Non-encrypting ransomware is somewhat simpler. It will often display pop-ups, web pages, or other annoying content with such speed as to render a PC, mobile phone, or other device useless. Again, paying the ransom will turn off the onslaught.
Finally, there is leakware. Its threat lies in the hacker going public with information that’s been illegally accessed. Users worried over revelation of trade secrets, confidential business or customer information, or frankly embarrassing personal data are often willing to pay to keep it private.
While the WannaCry debacle has IT leaders on edge about encrypting ransomware, it’s important not to limit protection strategies to this potentiality. For example, when suffering from an encrypting ransomware attack, snapshots can be helpful in restoring networked systems to a clean, pre-virus state with minimal data loss. But this approach is useless against leakware.
Sadly, the days of non-encrypting ransomware are coming back strong with the Internet of Things (IoT). The devices that are steadily taking over everything from home thermostats to industrial monitoring systems hold very little data themselves. But disablement of self-driving cars, heart pacemakers, or the power grid could put one day lives up for ransom. It’s the future disaster scenario security professionals are trying hard to outsmart.
Can you recover from a ransomware attack?
Ransomware is a prime example of “better safe than sorry.” Simplistic, non-encrypting ransomware can usually be cleansed, and assuming adequate, uncorrupt backups exist, the attack is little more than a nuisance. But things get difficult with the more sophisticated viruses.
There is little that can be done after the fact in the case of leakware. The hacker generally has the information in hand ready to release. It’s also likely that many of the IoT threats on the horizon will be serious or life-threatening enough that ransom payment will be the best option.
Encrypting ransomware lies somewhere in the middle on this spectrum. If the virus is detected early, it may be possible to intervene before data encryption takes place. Immediate disconnection from all networks and communications can prevent the virus from making contact with its command and control server, or at least help quarantine the malware.
Moreover, a complete or near-complete data restore can be possible after encryption, depending on the backup processes in place. Should a significant volume of data undergo encryption without adequate backup, recovery tools offer real but very limited hope.
Decryption works best on well-known ransomware strains—but these are precisely the threats the enterprise should be proactively deflecting. For new strains less apt to be picked up by antivirus and anti-ransomware software, fewer post-attack options exist. If the malware uses the same key for all encrypted files, a brute-force analysis against uncorrupt archives can sometimes identify the key, but it’s a time-consuming process. Similarly, forensic software may help recover previously deleted files on a disk. At this point, however, most businesses are considering paying to release their data.
Preparing for ransomware attack before it happens
Post-attack mitigation options are few. That leaves preparation and defense as the best approach. How is a business to go about it?
There are multiple levels of the organization that need to get involved in setting priorities, selecting the right toolsets, and implementing policies down to the PC and employee levels. We’ll take a look at each of them in turn.
Level I: The Corporate Guard
Taking the ransomware threat seriously and realizing it will evolve in the coming years are initial steps toward protecting corporate systems. Ransomware should be considered a high-level issue and garner the attention of top technology personnel. This will involve the following steps:
- Putting a price on data: The business needs to put a price on its data before a hacker does. Understanding the relative value of different types of data allows the organization to set an acceptable level of failure. It will not usually be possible to defend the entire castle to the same extent without interrupting business processes or bogging down backups. Similar risk analysis pertains to IoT devices based on the potential for damage.
- Network architecture: The IT infrastructure can be designed to help resist widespread ransomware infection. For example, mission critical systems should be isolated to the greatest degree possible. Many enterprises may want to involve outside security experts to make sure they get the architecture right.
- Intrusion detection systems: IDS products are getting better. A variety of options, including the open source Snort, can monitor networks at the packet level and identify potentially malevolent traffic patterns. These tools are worth employing and researching further as machine-learning solutions develop.
- Post-intrusion plan: IDS or aIDS systems enable rapid response to potential threats, so they come in handy. The next steps should also be set in advance. Value-based considerations will tell the business when it’s time to pay the ransom to restore operations, regain control of data, or avoid human impacts possible with IoT attacks.
Level II: Backup Preparation & Verification
As we’ve mentioned, backups can enable data recovery without paying a ransom in the case of an encryption ransomware attack. Although they don’t alone establish a fool-proof defense to all ransomware, backups are important enough to warrant careful consideration.
The data backup plan should be diversified so there is no single point of failure. Store multiple copies of high-value data online, offline, and off-site. It’s now easier than ever with cloud services.
Toggling data access privileges and setting read/write permissions can prevent files from being modified or erased. Additionally, data snapshots, such as the volume shadow copy (VSS) in Windows, used for recovery are often targeted by the more aggressive ransomware. Disabling access to the VSSadmin.exe tool in Windows—and similar access in other systems—can thwart this ransomware process.
Staff must consistently check the integrity of backup copies and regularly review policies. The march of technology means a desirable level of backup that wasn’t practical a year ago might be possible today. For mission critical data, many enterprises now ensure data loss after attack is measured in minutes, not hours or days.
A third party IT support partner can be a valuable resource in optimizing backups and performing regular maintenance to ensure they’re working. Look for one with Data Protection as a Service (DPaaS) offerings. The best vendors will be able to accommodate a company’s multi-prong approach to data backup, whether that includes mirror sites, disaster recovery or backup as a service (DRaaS or BaaS) products, tape backups and archival storage systems, or other tools.
Level III: The Network’s Defense
The network team should use current software and industry-recommended security policies to prevent payloads from launching and viruses from spreading. First and most obviously, ransomware-protection tools should be in place. The growth of the problem over the past few years has driven the security industry to develop various products, which offer a baseline level of protection.
From there, key points for network team attention include:
- Patches: Regular installation of O/S patches, antivirus updates, and browser plug-ins will help avoid penetration by known threat variants. If necessary, engage a support partner to help.
- Firewalls: Look into active firewalls, and make sure all firewalls are properly configured. Security suites that accommodate several firewalls can be a great addition to the stock intrusion defense.
- Passwords: Regularly prompt users to change their passwords, and require them to meet minimum standards for strength.
- Software restriction policies: Malicious processes frequently use similar locations, namely ProgramData, AppData, Temp, and Windows\System. It is often prudent to keep executable files in these locations from running.
- Block lists: Keep an updated list of known-malicious addresses. TOR (The Onion Router) gateways, for instance, are a common means for ransomware threats to communicate with their command and control servers.
- Anti-spam settings: Filtering on the mail server can block attachment types often used to transport viruses, such as .exe, .vbs., or .scr. Screen these out unless there is a compelling reason for users to transmit or receive such files over email.
Level IV: PC and Device Protections
Finally, PC Support will want to ensure that all devices are maximally protected by:
- Disabling file sharing and remote services, if doing so will not inhibit users’ workflow;
- Switching off unused wireless connections so they cannot be exploited as an initial vector;
- Disabling vulnerable Windows functionality, such as Windows Script Host and Windows PowerShell;
- Securing Microsoft Office by disabling macros and ActiveX and blocking external content, whenever possible;
- Installing pop-up blockers to shut down another entry point for Trojan attacks;
- Disabling autoplay to prevent automatic launch of ransomware files.
Mobile devices security can be improved by downloading apps only from known sources and using verified antiviral and security apps. IoT devices should also be properly configured using available settings and network-based protections. With IoT security threat receiving greater attention, hopefully we can expect more advanced device-level protections in future generations of these products.
Level V: Human Smarts
Sometimes the best architecture, the best tools, and constant vigilance over updates and settings are not enough to prevent virus penetration. Should technical defenses fail, users themselves can be the final source of protection.
IT departments should teach their user communities good cyber-hygiene habits, with regular sessions to refresh and update their skills. Making users aware of various types of threats, such as spearphishing attacks—and what to do and who to contact if they see something suspicious—could alert IT to an issue while there is still time to intervene effectively.
Good ransomware defense is not a guarantee against a successful attack, but that’s no excuse to avoid basic steps. Make reasonable investments in tools and technologies, from antivirus to aIDS. Develop comprehensive, consistent security protocols. And get on your maintenance game to keep virus definitions and other defenses, not to mention your backups, up to date. If it’s too much for internal staff to stay on top of, find a third party provider to help.
After all, even that headline-maker, WannaCry, which took so many IT pros by surprise, leveraged a widely known exploit. Most of the time, simply screening out the usual suspects is enough to avoid getting hacked.
Chris Adams is the President & Chief Operating Officer at Park Place Technologies.