Many vendors today are leveraging ransomware as a sales opportunity. I recently had a conversation with Paul Comfort, our security expert here at Chi, and he provided some practical thoughts about ransomware that I felt were worth sharing. To many, this may seem like common sense. However, what makes these threats so challenging is that it’s not only the “bad guys” that IT organizations have to defend against, it’s also safeguarding against the simplicity of mistakes by users within their own organizations.

In basic terms, how did ransomware become such a strong threat and what are basic steps people can take to prevent it?

Ransomware presents one of the greatest IT security threats of all time, yet in most cases it is not based on anything new. It leverages techniques and methods for compromise that have been around since the beginning of the Internet. ransomware has become big because it gives these attackers a financial motivation that was not there before. Because of this financial motivation, attacks are becoming more refined, phishing emails are becoming harder to detect, and the volume of attacks has increased.

Netflix users have recently been the target of a phishing attack. The emails appear to come from Netflix, they are properly formatted and grammatically correct, and many people are falling for them. Just clicking the link in the email to verify your details with Netflix will compromise your computer, encrypt your files, and demand ransom to get them back.

Here are some basic security tips to limit your exposure to ransomware:

  1. Never open email attachments from someone you don’t know.
  2. Never open email attachments from someone you do know when you were not expecting an attachment.
  3. If you receive an email from anyone with links in it, never click the link unless the sender is highly trusted and you know for sure the sender sent the email. It is better to visit a website manually and search for the same information rather than clicking the link. This is especially true for bank accounts – you should never click a link in any bank email ever. On a similar note, if you receive a voicemail or email from the “credit card fraud department” about “unusual activity,” always call the number listed on the back of your credit card, your statement, or the bank’s official website, and not the number they supply over the phone or email.
  4. If you connect to WiFi / networks other than work or your home connection, enable your VPN before doing anything, including starting Outlook or your web browser. This applies to WiFi for your laptop and your phone, and especially to unsecured (no password) WiFi, which should be avoided if at all possible.
  5. Make sure your antivirus is currently running and up to date.

Lastly, make sure you store your data on a secure network share, and make sure any important data is backed up on a regular basis. There are usually only three choices after a ransomware attack:

  1. Pay
  2. Live without the data
  3. Restore from offline / out of band backups. Most would prefer this option

Once a Ransomware attack is resolved, how do organizations ensure they are not still hiding on the network and planning another attack? The industry focus is often on prevention, but what if they are already in?

That is a problem that many people are ignoring. There are two things going on that lessen the likelihood for ransomware reinfection, both having to do with the financial component. First, many of these attackers feel that they are doing people a service. They will patch systems and even educate the users to help them not have it happen again – go figure, it’s very surprising. Second, a repeat attack from the same person has a much higher likelihood of detection, especially if the victim made law enforcement aware of it. The risks went up significantly.

With any sort of compromise, ransomware or not, if someone has been on your system there is only one way to be absolutely certain that they haven’t left means to get back, and that is to physically destroy the system. Now, that’s way extreme, so most people will take a step somewhere in the middle. The chance that someone installed a boot rom based exploit that would survive a reload is probably rather small unless it was a state sponsored attack, or you have something really valuable. I recommend always at a minimum wiping the system clean and doing a fresh reload. I’ve seen re-infections too many times.

The problem with that is that it gets harder to do on a network because you have to wipe every last affected computer at the same time before bringing the first clean system back online. It really isn’t practical. I’ve seen a really intelligent attempt at bringing new systems up on a protected VLAN that failed and got everything re-infected. The job of the motivated attacker is much easier than the job of the defender. The attacker only has to succeed one time to get a foothold. The defender has to be vigilant at all times.

That’s why I have said one time or another that EVERYONE is compromised. There’s always something going on with a network of any significant size that the network owner is not aware of that he would want to stop if he could.

The right answer is to do what you can do given the risk involved. Usually that means doing a thorough analysis of how the intruder / malware got in, what it did, what systems it touched, and whether or not there was any interactive access by the attacker. If you have a legal liability for the data (almost certain), and/or want to really understand everything that happened, and/or think you ever want to go after the attacker, then you would pull the drives from the affected systems and start a legal and forensically sound chain of custody and evidence protection process immediately after determining that there was a compromise. It’s easy at this point for inexperienced sysadmins to make a mistake that compromises the evidence or gives the script/attacker a chance to clean up evidence.

This is rather generic, but would fit most situations. As soon as you recognize that there was a compromise on a system:

  1. Pull the power plug.
  2. Pull the storage.
  3. Notify people that you are no longer in production.
  4. Analyze the attack from a forensically sound platform.
  5. Wipe/reinstall the affected system(s).
  6. Repair or fix whatever issue allowed the attacker to get in the first place.
  7. Restore from backups
  8. Force a password reset on all users, admins, and service accounts.
  9. Go back into production.

If you can determine from the analysis that it was a scripted attack where the script and the malicious content are known, it may be possible to clean it up rather than reloading it. If you were big enough that you have redundant systems and hardware then obviously you can get back in production faster, but you have to realize that whatever vulnerability existed on the primary system probably exists on the backup / DR system, and putting DR into production without understanding the attack may be the worst thing you could do. It is also pointless to bring any system back online when there are other compromised systems on your network. You may have to bring the system online and watch it get reinfected from another internal system before you can figure out what all those systems are, but that’s painful.

EVERYONE is compromised