A few days ago, Marco returned from lunch to his small office and turned on his computer. It appeared that he had been logged out of his account which sometimes happens as his workstation is a gateway that other employees go through to access files on his company’s main server. As Marco signed back in and started to utilize some of his usual programs, he noticed that some of the commands he usually used were missing. This should have been his first clue that something was very wrong but he didn’t pay attention to what he was looking at. So, he restarted his programs and the issue persisted. Marco began to encounter other issues and elected to restart his computer. It was then that he noticed that there was another session running in the background and he observed the session was utilizing 30 to 40% of the CPU’s time which was unusual. Marco then left the office for a meeting. Upon his return to the office the next day, it was apparent that ransomware has been placed on his system, encrypting all his and the company’s files. His screen was filled with a communication of what to do and not to do by the hacker if he wanted to unlock his company’s files. A ransom demand of 5 Bitcoins, which amounted to approximately $58,000, was demanded and eventually paid by his company.
The above account is not fiction although it has been anonymized to protect the victim company. It happened and continues to happen on an all-too-frequent basis to companies and private citizens alike. Before we get too far ahead of ourselves, let’s look at what ransomware is and what can be done before, during and after a ransomware attack is executed. If you think you have have been attacked, experts in ransomware recovery are available to aid in recovery.
According to the FBI ransomware is a form of malware that encrypts files on a victim’s computer or server, making them Inaccessible to the user. Cyber criminals then demand a ransom, usually in the form of Bitcoin or some other anonymized currency, in exchange for providing a key to decrypt the victim’s files. Ransomware attacks are becoming more sophisticated, are better targeted and are more costly. During the recent pandemic, ransomware attacks have become more prevalent in the advent of more employees working from home, utilizing their own devices, and networks which may or may not be well protected.
Ransomware victims span across most if not all economic sectors Including health care organizations, industrial/manufacturing companies, local and state governments, law enforcement institutions, educational institutions, transportation entities, and other commercial entities as well as the computers of private citizens. Historically, most attacks begin as an email phishing campaign wherein the cyber criminal uses generic, broad based spamming strategies to deploy their malware, while recent ransomware campaigns have been more targeted.
Cyber criminals socially engineer phishing emails to reflect urgency which if not acted upon may create anxiety and fear of not taking appropriate action as well as preying upon the natural curiosity of the human being on the receiving end of their phishing attack. The more information cyber criminals know about the recipient of their email the more likely they will be successful in their attack. In the current pandemic, a newly mobilized remote workforce people are already anxious and maybe more susceptible to an attack, often times trying to “click away” their anxiety in search of answers that will alleviate their present concerns.
Ransomware is more prevalent nowadays because hackers have access to more sophisticated tools that are supported 24/7. Defense always lags behind offense when new tactics are being utilized. Ransomware tools are cheaper to build. There are also more distribution channels to utilize and more lucrative targets whose information is already in the public domain through Facebook, LinkedIn, and other social media and internet searches. The method to pay for the ransom which is typically Bitcoin, is untraceable with regard to the recipient and the payer and therefore cannot assist law enforcement in identifying the cyber criminals. Cyber criminals also make use of the TOR anonymity network to interact with the victim which anonymizes the cyber criminals’ identity.
Before the Event
It is important for any individual or organization to lay the groundwork to protect itself from becoming a ransomware victim. You cannot eliminate 100% of the possibility that you will be a victim of ransomware but you can diminish the probability by being proactive. The primary defense for any organization or individual against ransomware is to have an effective, and robust back-up and restore capability for all your critical data. Having an updated backup to restore from could save your company and you personally from having to pay a significant ransom to regain access to your information and being at the mercy of hackers to regain access to your data. The time to invest in backups and test to see if your backups are working properly is not after a ransomware attack has occurred. Back-ups are critical to your company’s recovery from a ransomware attack.
In addition to having regularly updated backups and verifying their functionality, you must ensure that the backup drives or devices are not connected to the computers or networks after they are backed up, otherwise they too will be encrypted during a ransomware attack and will be rendered useless.
Your company can enhance any security measures taken to protect their computers and networks by training and educating your employees and end users on information security principles and techniques. Ransomware is not a firewall/anti-virus issue. Socially engineered phishing attacks are often the vector of attack and employees are the targets and as such are a company’s portal of vulnerability. Employees should be made aware of the threat of ransomware, how it is delivered, and how to recognize what may be a phishing email attack and not click on it.
Keep your operating systems, software, and firmware patches updated preferably through a centralized patch management system. Ensure that every server is patched or it may become the access point to the whole network. Ensure that you have anti-virus and anti-malware automatically updated and that scans are conducted frequently.
Practice restricting access to file, directory and network share permissions. Configure access controls to allow only those who need access to have access to necessary information and data.
Consider disabling macro scripts from Office files transmitted by email. Utilizing Office Viewer software instead of full Office Suites applications when you open Microsoft Office files should be considered.
Prevent the execution of programs in common ransomware locations by restricting software policies or other controls. The aforementioned locations are temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.
Since cyber criminals frequently utilize open RDP ports, companies should audit their network for systems that use RDP and close all unused RDP ports, utilize multi-factor authentication (MFA) and track RDP login attempts.
Companies should categorize and prioritize data based on its criticality and value to their organization and create both physical and logical separation of networks and data for different organizational units. In other words, protect your most valuable data more than your lesser valuable data.
Utilizing application whitelisting allows systems to execute only programs known and permitted by your company’s security policy. Also utilizing virtual environments to execute operating systems environments or specific programs.
During the Attack
Let’s go back to our friend Marco. When Marco realized that his computer was infected with ransomware, he remained calm and contacted his IT department who, not knowing how far into the attack the company was, instructed him to disconnect his computer from the network, as well as disconnect all devices from his computer. Unfortunately, Marco advised his IT contact that the attack likely started the day before when he noticed some anomalies when using his computer. The IT contact called the local police department and reported the attack to the FBI. Reporting the attack to the authorities is not done thinking they can stop the attack or assist with remediation. Reporting the event to the local law enforcement will get you a report number in case it is needed to make a claim against the company’s cyber security policy or to claim a loss with regard to corporate taxes. Notifying the FBI also allows them to track victims and crimes to see if there are other victims attacked with the same ransomware variant and to aggregate the cases if there is an open investigation or get authority to open one.
At this point we leave Marco and his coworkers to sort out what damage was done to their systems and data. They will have to make the decision to either pay the ransom utilize their backups to restore their systems.
As a rule, the FBI does not advocate paying a ransom because cyber criminals are not the most reliable people in keeping their word to decrypt your data once you have paid the ransom. Additionally, cyber criminals are not vested in customer service so even if you paid and they are acting in “good faith” they may not possess the know-how or capability to be able to decrypt your data. Things still can go wrong with their algorithms too. Historically, ransomware cyber criminals have been content to just encrypt your systems and receive a ransom to unlock or if no ransom was received, they would move on to the next victim. However, now we are seeing a shift in tactics wherein cyber criminals are stealing sensitive information at the same time as executing a ransomware attack and threatening to release the information if no ransom is paid. Even if a company has a backup, they still may pay the money in blackmail, hoping the cyber criminals keep their word not to disclose the information. These are some of the reasons that the FBI will always be reluctant to reinforce criminal behavior by advocating that businesses pay ransoms. Furthermore, if a company pays, they may be a victim again at a later date because they have set the precedent of paying. So, if you do decide to pay, understand that you may be a target again. Also, if you do agree to pay, seek out a service to pay on your behalf so that you do not involve your company brand in the negotiations.
Ultimately, it is not the FBI’s decision whether or not a company pays the ransom. It is the decision of company’s management team and maybe their legal counsel. The management team must make the decision that will be the best for business continuity.
After the Attack
After the company has done its best to get back to business, now is the time to make sure they limit the probability it will happen again. Your company should start with a third-party assessment to see what vulnerability let the attacker through. What systems vulnerabilities were you not aware of? This should be done by a third-party vendor to ensure the integrity of the process. Also, the IT staff may not have the tools or expertise to conduct the assessment. After the assessment, you need to clean or wipe your environment because the cyber criminal might have left a backdoor for him to return through at a later date and time or might have left additional malware embedded in the system. Next you need to invest in modern defenses such as real-time monitoring of your network. Firewalls and anti-virus are important, but they won’t give you network visibility or real-time alerts. Finally, invest in cyber security training and awareness for your employees and test whether it is working. By educating your employees in cyber security threats you are developing them into “human firewalls” and lessening the likelihood that they will fall for phishing attacks and introducing ransomware into your network.
Ransomware is a very real existential threat to small to medium size businesses and as such needs to be prevented whenever possible. Seventy-eight percent (78%) of small to medium sized businesses (SMB) are targeted by cyber criminals not only for their data but also as a portal to other systems. Sixty percent (60%) of SMBs that are hacked go out of business within six months of their victimization. This statistic does not have to be an inevitable outcome.
Prevention is key and includes utilizing technology, operations and administrative means to accomplish. Utilizing technology includes regularly backing up data and ensuring functionality in restoring data in case the need arises, updating patches, deploying anti-virus and anti-malware, disabling macro scripts etc. Operational means includes restricting access to critical data and systems, implementing software restriction policies, employing best practices utilizing RDP, whitelisting, network and systems segmentation, etc. Administrative means includes implementing policies and procedure that institute best practices for employee behaviors and actions, as well as cyber security training and awareness for those employees. Protecting your company against ransomware can be done. You just got the plan, so let’s get busy!