Since Cryptolocker appeared in late 2013, it seems hardly a day can go by without some ransomware attack hitting the news. The variations all have entertaining names like Teslacrypt, Locky, PayCrypt (etc). The impact on the victims can be monumental. Tracking sites show new versions appearing several times a day – much faster than most Anti-Virus products update their definition files. If you are infected, your files really are lost unless you pay.
All of this points to a specific type of malicious software which is causing some very, very big problems to businesses and home users across the globe. In late 2015, even the FBI suggested paying the ransom was the only option for some victims.
But it doesnt have to be this way. Simple steps can prevent infections. Simple steps can allow you to recover.
If you access the internet or read email ransomware is attacking you. Dont be scared about it. Dont be overwhelmed. Dont think it is not important enough. Dont procrastinate. Just deal with it today.
What is ransomware?
Ransomware is a type of malware that restricts access to the infected computer system in some way, and demands that the user pay a ransom to the malware operators to remove the restriction.
Although only really in the news a lot now, this type of malware has been around for a long time. In 1989 “PC Cyborg” was locking users computers and spreading via floppy disks. As the internet evolved, so did the ransomware. For a long time, the attacks came in via email and only hit Windows users. However, things are changing. Research indicates that over 50% of infections are from users accessing malicious webpages. This year (2016) has now seen the first OSX ransomware infections hitting Mac users.
The reality is that this is so profitable, criminals will put a lot of effort into keeping it working. If your defences stand still, it will beat you.
There are some common misconceptions around ransomware which hinder investigations. Don’t hinder your response by barking up the wrong tree.
- Myth 1: Ransomware is always sent by email. Far from it. Two years ago this was true, but in the last 18 months things have changed. While email is still a common attack vector, more users are compromised by browser exploits.
- Myth 2: Ransomware is infectious. Most people’s experience of malware is with a virus that spreads by infecting machine after machine. Current versions of ransomware, however do not do this. By its nature, this type of attack tends to be a single shot, with each user having to be infected directly by the source.
- Myth 3: Ransomware targets businesses. No. Most attacks are targeting home users. This is where the attackers make their money. The assumption is corporate environments can recover without paying. However, attackers don’t tend to be choosy, so businesses do get hit.
- Myth 4: Multiple attacks mean targeting. Still no. Ransomware is so common you cant ever assume that several users getting infected is sign that your business is being targeted. It just means attackers have a big list of your email addresses or your users all visit the same sites.
- Myth 5: Only people who visit dodgy sites get attacked. Modern attacks are delivered through otherwise legitimate content delivery networks. Ransomware has infected visitors to newspaper websites, Yahoo pages and much more. Any internet activity can lead to an infection.
Dealing with Ransomware – Simple Steps
For all the trouble it causes, dealing with this form of malware is actually quite simple.
First and foremost is preventing the attacks. This is really important.
However before you go any further, you need to fully understand that nothing will be 100% effective. The more users you have, the greater the chance of an infection. Our experience is that in a given month, you should expect 1 successful infection for every 5000 users you have.
Accept this. Put good controls in place but realise that you will still need to respond.
Good preventive controls will eliminate 80 – 90% of all malware attacks, including ransomware. The exact level of detail will depend on your environment so make sure you plan this properly.
Start with the basics:
- Patch. Most ransomware attacks exploit unpatched systems. When patches are released you need to apply them as soon as practical. The longer you delay, the greater the risk.
- Filter emails. You need to inspect anything coming into your environment. Use a good mail filter. Block incoming phishing attacks. Block spoofed mails. Block suspicious attachments. Never trust email. Never allow files with .js, .exe, .wsf or .scr extensions. Scan zip files. Still dont trust email.
- Run AntiVirus. While it isn’t perfect, AV really isnt dead. If you run a good AV tool, with regular updates and heuristics enabled, most ransomware attacks will be blocked. Brand new variants will still get through, but you will be protected against the thousands and thousands of older versions.
- Use your firewall. Make sure your firewall blocks outbound connections to known C&C servers. This can disrupt the ransomware as it tries to get the encryption keys, preventing it from running. It isn’t perfect but without it, life is harder.
- Minimise privileged accounts. Administrator accounts must never be used for routine activity. Privilege escalation must be controlled and, ideally, requires manual credential entry each time. If you absolutely must allow privileged accounts access to the internet, this should be whitelisted. Privileged accounts must never be used to access email. If a privileged account is infected by ransomware everything is much, much worse.
- Backup. Backup. Backup. Backup. Take backups. Backup everything you can. Data storage is cheap so there is very little reason to not take copies of everything. The more you backup, the faster you can recover from ANY problem. Take daily, weekly, monthly backups. Test and verify them on a regular basis. It is important to make sure any backups you take are “offline” otherwise ransomware can hit them as well as your life system.
Once you have all that, look to up your game:
- Manage Network Shares. This is the biggest problem for most businesses. Infected users end up destroying files belonging to everyone else because network shares are badly managed. Make sure users only access folders they need to access. If you can, make sure network shares are not mapped as drive letters. Never allow the everyone or all users AD groups to have read/write access.
- Harden your browsers. Restrict what people can do with downloaded files. Make sure browser activity is AV scanned.
- Manage application paths. Use GPO or similar to prevent software from running in “unusual” locations. Never allow files to run from
%LocalAppData%locations. Ideally whitelist applications you allow to run rather than try to block the ones you dont want.
- Aggressively filter email. Scan everything. Block macros in attachments. Block anything you cant scan. Sandbox everything which comes in.
- Install ad-blockers and disable flash. This closes the door on two of the most common web-based attack vectors.
If ransomware prevention fails, respond
Respond, but respond properly. Most of the harm from ransomware is the result of confused, delayed or inconsistent activity by the people tasked with responding.
Step 1: Have an incident response plan and stick to it. Don’t allow panic or knee-jerk reactions to dominate during an attack or things will go wrong. Make the plan when things are calm and trust it. If its bad, fix it after the incident, not during.
Step 2: Dont panic. Ransomware doesnt spread from machine to machine. Take rational steps to minimise business impact. Ignore the people who are screaming about disconnecting everything or shutting everything down. Follow your IR Plan.
Step 3: Know where you are in the attack chain. If you’ve discovered the “ransom note” its too late to do anything to prevent the attack. However if your SIEM has alerted to an blocked outbound connection to a C&C server, you can do things.
Step 4: Dont panic. Seriously. Think carefully about what has happened. If you find the ransom note, there is almost zero value in shutting things down or disconnecting services. The attack is already over. All you are doing is hurting your business more.
Step 5: Identify the point of infection. The first rule is that if you find encrypted files on a server, it probably isn’t the source of the infection. Remember, ransomware attacks people so only systems which allow web-browsing or email can be the source. Don’t waste time looking in the wrong place. Use file modification timestamps and ownership to identify the source. This means you shouldn’t rush in and destroy the evidence.
Step 6: Still dont panic. It is only ransomware. It wont spread from machine to machine. It has either been blocked or finished its attack. Stay calm and follow your IR plan.
Step 7: Clean the source. When you find Patient Zero, clean their system. Ideally rebuild the OS and reset all account credentials. Find out what let the ransomware in and implement fixes.
Step 5: Clean and restore the rest of the environment. Delete the encrypted files and restore from backups. Get your business up and running again quickly.
Assuming you have good backups, following this process means you will lose, at most, a few hours work for one user and a couple of hours to restore backup files.
This is a far cry from the Hollywood Presbyterian Medical Center which paid a ransom of US$17,000 or Kentucky’s Methodist Hospital which declared a state of emergency to deal with a ransomware attack. It is also quite different from Lincolnshire County Council which had to shut down all its IT services for five days to deal with one ransomware attack. On a smaller scale, although possibly with much greater impact, dont be like the Denbighshire based small business which was nearly wiped out by ransomware.
Don’t make the same mistakes. Implement good practices. Plan well. Prepare for attacks and respond to ransomware in an appropriate manner. Don’t make a bad situation worse, just deal with the attack.
Keep in mind, Cyber Essentials is a UK government initiative which is geared towards organisations implementing cost-effective controls which are very effective at minimising the risks from attacks like ransomware. If you achieve certification then there is a good chance you’ve covered the basic requirements! Get in touch if you want to find out more about how you can become Cyber Essentials certified and protect your business & your supply chain.