“Modern ransomware not only encrypts data, but exfiltrates it for further resale”
It’s the dirty little secret of too many businesses to count: they got hit by ransomware and quietly paid up (the amoral/pragmatic, depending on your viewpoint) or stripped and rebuilt thousands of desktops and servers (the pugnacious/distrusting).
For many more, it’s not a dirty little secret: it’s a highly public case of egg on your face (particularly for the security companies hit in 2019), tumbling share price and customer fear (was our data stolen/have our systems also been infected as a result?)
Yet two long years after shipping giant Maersk was forced to rebuild a network of 4,000 servers and 45,000 PCs after a colossally destructive NotPetya attack, ransomware incidents remain widespread; powered by increasingly sophisticated malware.
(Security firm Emsisoft highlights 103 federal, state and municipal governments and agencies hit in the US this year, among 1,000 public sector incidents: just this morning ZDNet reports that a coast guard facility was hit by the Ryuk ransomware.)
For those who haven’t been hit, it can be hard recognise quite how crippling and debilitating such an attack can be. Computer Business Review spoke to over 20 security experts for guidance on how to avoid attack in 2020 – and what to do should the worst happen and you find your company hit by ransomware.
Their guidance boiled down to a handful of (hopefully to most businesses obvious by now) fundamental tenets: back-up religiously and store your back-ups outside your network; improve your security hygiene by patching regularly, training staff to recognise phishing attempts, segmenting networks and introducing multi-factor authentication, and stringently lock down remote access.
1: Don’t be Forced to Go to Ghana for your Back-Ups…
As Andy Greenberg details in his write-up on the Maersk attack, the company’s admins initially struggled to find a back-up of their domain controllers; the servers that act as a detailed map of its network and which hold rules on who gains access to what.
All 150 had been programmed to sync with each other, so any could function as a back-up. Yet they all got hit.
It took the chance find of a domain controller server in Ghana that had earlier been knocked offline by a power outage to save the day.
A Relay Race…
(With bandwidth too thin to transfer its data internationally and visas for Ghana set to take days, the server’s contents were handed over on a hard disc to executives in Nigeria in an international “relay race” as the company scrambled for a fix).
Few companies will face quite such dramatic action, but the crucial nature of back-ups remains central to mitigation efforts (and preparing for the worst was a first-step that few security experts disputed: “fail to prepare and prepare to fail”).
As Aron Brand, CTO at Israel’s CTERA puts it crisply: “Make sure all of your data is reliably backed up and physically separated from the main dataset, with backup versions in a read-only repository. In the event of an attack, you can rollback to an uninfected file version and be up and running quickly.”
He adds: “If your data is outside your firewall, it must be encrypted. Keys should be generated and managed internally by trusted individuals, separate from any third-party service to ensure total data privacy.”
Businesses should establish precisely what they need to back-up, where they plan to store it, and who can access it. If systems are on-premises, having back-ups in the cloud is one option. Gaming system restoration after an attack is also recommended.
2: Patch or Be Punished…
Patching can be a chore. It can’t be ignored.
(Nearly 80 percent of CIOs have refrained from adopting an important security update or patch due to concerns about the impact it might have on business operations).
As Rich Langston, Senior Technical Product Manager at AT&T Cybersecurity puts it: “Patching, system/application updates, end of support/life platform migrations, user administration and configuration management can be tedious, but these actions will greatly reduce the risk of opportunistic attacks and help mitigate risk.
Langston adds: “Regular and continuous vulnerability assessment scanning will identify application, OS and network vulnerabilities, so organizations can prioritize remediation efforts that can help prevent ransomware attacks.”
3: RDP (And Other Horrors)
Earlier in 2019 Check Point tested three common Remote Desktop Protocol clients for vulnerabilities. (RDP is commonly used by technical users and IT staff to connect to / work on a remote computer. It is a proprietary protocol developed by Microsoft.)
- mstc.exe – Microsoft’s built-in RDP client.
- FreeRDP – The most popular and mature open-source RDP client on Github.
- rdesktop – Older open-source RDP client, available by default in Kali-linux distros.
The company found 16 major vulnerabilities.
Few security experts will be surprised as a result that, along with spearphishing, RDP is a common entry point for ransomware. As Sophos puts it bluntly: “Lock down your RDP; turn it off if you don’t need it, use rate limiting, 2FA or a VPN if you do.”
The company adds: “If remote access is required, use a VPN with industry best practice multi-factor authentication, password audits and precise access control.
“Servers with remote access open to the public internet need to be up-to-date on patches and protected by preventative controls, and actively monitored for anomalous login and other abnormal behaviour. Users logged into remote access services should have limited privileges for the rest of the corporate network. Administrators should adopt MFA and use a separate administrative account from their normal user account.”
4: Staff Training
Aas David Ellis, VP of security at Tech Data notes: “Staff are one of the most important lines of defence against ransomware, so ensuring they are trained to spot suspicious emails, instant messages and other phishing attempts is critical to keeping your business online.”
It may be obvious, it may be hard to drum in; it still needs doing — regularly — particularly as phishing attacks become more targeted and look set to make growing use of so-called deepfakes.
5: Should I Pay (And Should I Tell?)
If there is one thing our security experts disagreed vehemently on, it was whether those afflicted by ransomware should pay up in the event that back-ups are hard to come by.
Tech Data’s David Ellis is unequivocal: don’t pay. He says: “First things first, do not pay the ransom. It only encourages and funds these attackers. Even if the ransom is paid, there is no guarantee that you will be able to regain access to your files.
Zulfikar Ramzan, CTO at RSA Security, takes a more pragmatic view. He tells Computer Business Review: “Ultimately it is a business decision whether to pay or not to pay – if it’s critical data, assuming you can’t get it from back up tapes, then paying the ransom becomes the most viable mechanism for getting that data back and might be the only hope you have to restore it; in which case you are faced with little choice but to pay up.
“There are no guarantees, of course, that you will get your money back; but the reality in most cases is that ransomware authors tend to be good to their word – it’s bad business for them if words gets out that even if you pay the ransom you still lose your data.”
So How Do Negotiations Play Out?
“Ransomware authors typically provide quality “customer service” and will walk organisations through the ins and outs of setting up bitcoin or making a payment. There is an option to negotiate, as with any business deal. But the hacker will have the upper hand. Remember, they have your data, have infiltrated your networks and may know your secrets or have other critical assets. They potentially have your financial information and know exactly how much you can afford to pay.
“So if you are a large multinational trying to negotiate over a few hundred or thousand dollars, that likely won’t go well. If, however, you are a small company with limited funds and you really can’t afford to pay, then it is certainly worth entering into a dialogue as they may cooperate. If you do decide to pay, then it would be worth requesting some sort of proof that they have the capability to decrypt the data by offering up a test file to prove they are capable of following through on their end. Although, even if they give you the cryptographic key to your data, it is worth getting professional help to decrypt your data to make sure it is done correctly.”
What About Disclosure?
As Ilia Kolochenko, CEO of web security company ImmuniWeb notes: “Modern ransomware not only encrypts data, but concurrently exfiltrates it for further resale in the Dark Web. As a result, ransomware attacks are targeted data breaches with often severe legal ramifications.
“Being mindful of the mushrooming multitude of data protection laws and regulation (GDPR or California’s CCPA for instance), it would be wise to talk to your corporate counsel about any duties of disclosure or victim notification stemming from the incident. Most important, be accountable and fair about the incident with the concerned stakeholders, don’t try to downplay or conceal the problem.”