“Don’t Panic!”: Lessons to Be Learned from Ransomware
By Doug Pollack - Article on June 15, 2016
- Cyber Security
- Data Breach Notification
- Data Privacy
- Incident Response
If you’ve ever watched a detective show, you know a murderer suspect must have a motive, a means, and an opportunity to commit the crime. If we think about ransomware—malware that holds computers or data hostage—every cyber criminal on the planet has all three. As we discussed in our first article in this series, hackers can make millions of dollars off a single strain of ransomware, so the financial motive is strong. In our second, we learned that the means for a ransomware attack are available to even the most unsophisticated criminals in return for a small cut of the action, and opportunities to deliver the malware abound, from phishing attacks against users to embedding it in legitimate software patches. It’s no wonder that businesses and consumers are falling victim, and the worst part is that, as fast as systems can be resurrected, they can be “murdered” again. (I know, this is starting to sound less like a detective story than a season finale from Game of Thrones.)
Until the security community figures out how to stop it, ransomware infections may be as inevitable as death and taxes. But the better you handle them when they happen, the less chance you will be plagued by them over and over again. In this article, we’ll look at things you can do to lower the likelihood of a malware attack, and how to handle one if it happens, both during the attack and after.
Obviously there is no perfect defense against ransomware. If there were, attacks wouldn’t have increased by orders of magnitude in the last couple of years. That said, there are steps you can take to reduce the risk. Training staff to spot and avoid phishing scams and not to open unsolicited email attachments will help keep ransomware out, and, according to a study by Ponemon Institute, it can have up to a 50x ROI by preventing multiple types of attacks. Keeping software up to date helps stop attacks that take advantage of known vulnerabilities. Infosec experts also recommend a layered approach to security that includes firewalls, web scans, and anti-virus software.
Prevention is great, and it will fend off some percentage of ransomware attacks, but your most important defense against ransomware is mitigation—planning ahead to limit the damage and to help recover quickly from an attack. You can limit the damage by segmenting systems and networks and by a rigorous system of access controls that ensures that users only have access to information and services that they need, limiting the potential damage from a stolen password. And the key to recovery is to have backups that are complete, up-to-date, disconnected from your systems (either physically or in the cloud), and tested regularly to be sure that you can successfully restore from them.
With the current explosion of ransomware, there’s a good chance that a ransomware attack will get through, despite your best defenses. Unfortunately, there are so many strains of ransomware and so many different attack tactics that no one can tell you exactly what to do when faced with the CryptoWall doomsday clock or the Petya pirate flag. But here’s what not to do: panic.
One of our associates, an IT consultant, dealt with a ransomware attack recently at a client of hers. Her story demonstrates many of the things that you should do, starting with keeping calm. This consultant (at her request, I’ll just call her “D.”) provides IT services for smaller companies that don’t have their own IT staff. Recently she was contacted by an employee at one of her clients, a manufacturing company with around 50 employees, who said the files on her computer were suddenly changing names. She sent a screen grab showing the altered filenames, so D. did a quick Google search and discovered that a ransomware attack was in progress.
The ransomware was still in the process of encrypting files and hadn’t displayed a ransom screen yet, so D. told her client to immediately disconnect the affected server from the network, disconnect all servers from the Internet, and tell all employees to stay off the network and not open any files until she could assess the situation. When she arrived on site, she found the main server was totally corrupted and was seeking fileshares on the network to encrypt more data. At that point, the client’s business was badly disrupted, so a decision was made not to do forensics to track the source of the attack, and instead to try to restore the systems from backups. Even without forensics, it took 48 hours to fully recover from the attack.
D. has a lot of takeaways from the ransomware attack and its aftermath. First of all, she and her client did a lot of things right. “All the servers were backed up both to NAS servers and to the cloud, so we could restore the systems and get everything back on track with no business loss to my client. We also didn’t panic and pay a ransom. I suspect that paying gets you listed on the Dark Web as an easy target, setting you up for more attacks. Instead, we spent the money on next-generation security software that made it much easier to detect and cleanup the malware in my client’s system and will help me spot and stop attacks in future. Thank goodness we spend money on that instead of paying ransom.” Things she learned? “We could have restored the systems faster if I had told everyone to stay off the systems entirely and go to paper-based work until things were back to normal. It’s an inconvenience, but it would have speeded up the recovery. We also discovered some files on the network that had been created outside the file server and hadn’t been backed up. We had to get those off the network first, for safety, what had to be kept. So in future, we’ll be encouraging users to keep everything where it will be backed up. And I’m also considering a backup strategy for the NAS servers.”
If your organization is faced with a ransomware attack, do what D. and her client did:
The ransom decision can be a tough one. Like D., the FBI warns that paying ransom encourages this kind of criminal activity. On the other hand, if you’re in a situation like the recent attack on Hollywood Presbyterian Medical Center, and lives may be at stake, you have to balance those risks. In any case, take the time to find out what you’re dealing with and to assess the your options and risks before making the ransom decision. If you have good backups and can recover quickly, you may not need to pay at all.
The only possible upside to the ransomware crime wave is that it may be the tipping point that drives businesses to prepare for the worst, be it malware attack or data breach. (In the Ponemon Institute’s Sixth Annual Benchmark Study Privacy and Security of Healthcare Data, ransomware attacks ranked #2 out of all cyber attack concerns.) D. says her client has a new resolve and commitment to creating a really solid incident response plan, because this incident made it clear that attacks aren’t 100 percent preventable. “These systems had good firewalls, anti-virus, and anti-malware software running, but it obviously wasn’t enough. And while we didn’t get to do forensics, the files began to be encrypted just after the weekly software updates started, so the ransomware was probably introduced through a software update, not a user error.”
There are so many yet-to-be-answered questions about ransomware: What tactics will hackers try next? How can we stop it? Is it a breach? When to pay and when not to pay? The only certainty is that criminals will continue to have motive and means to attack for the foreseeable future. The best we can do is to limit their opportunities through user awareness, choosing the best cyber-security we can afford, and through preparation that enables us to respond and recover as efficiently as we can. The more we can keep ransomware from being a fast track to riches, the less criminals will invest in its future.