Is anyone immune to ransom ware?
Is anyone immune to ransom ware?
Often times people have the false sense of security, believing they don’t have to worry about ransom ware because they don’t have anything to steal. They don’t have anything that anyone wants. If that’s a true statement, why have a computer? If there is nothing of value to you on that computer why lug it around or waste space with it on your deck at home.
Just this week I was talking a CIO about some malware we found on his network. He told me they are looking in to “plugging the holes” and “fixing the problem.” He then proceed to tell me, “but we are a manufacturing company and we don’t have much sensitive data – so while we do take security ‘very seriously’ I don’t think we have much risk.”
OK. You manufacture parts that are very specific and you have competitors in the industry. The parts you manufacture are for highly regulated industries where a deviation from the plan could be catastrophic. I would assume, but I don’t know for sure that you probably do have patents. Any other data that’s not sensitive? How about payroll, medical and employee data? I just shook my head, but this is a topic for another time.
Often times the casual home user is shocked when they go to look for their pictures and they are gone. Or some personal records, which now exist with .lockey as an extension or one of the other encryption suffixes. They don’t know what to do or where to turn, and if they are not vigilant about their backups, their files are lost.
If you get encrypted at home that’s terrible, but what happens when it happens at work? Like the company I mentioned above, if they have the mindset that they don’t have any sensitive data and no one wants the data they have, it doesn’t really matter. That’s because no one is technically targeting them. It’s simply a web of compromised computers that users will run into either by surfing on the web or by downloading a file or clicking on a link.
What happens when a company gets encrypted? Hopefully it’s an isolated incident, but how about when it is not? What happens when the user has drives mapped and all of a sudden all of the files on the share that the whole company uses are encrypted? The answer is you better have good backups. But often times once you get encrypted and you recover you are going to get encrypted again because the malware still exists in your environment.
What can corporations do?
So what is the solution? There are a many, but some of the strategies include backup, better pre-infection defenses, user awareness training, post-infection defenses. We will discuss each below.
Up to date backups
This strategy is good to ensure there is no data loss, but if this is your only strategy you are likely going to be pretty busy. I had a few customers that got encrypted, spent the better part of the next 24 hours recovering from that attack only to be re-encrypted the next day. After the second time of restoring backups from various critical servers – and losing three days of productivity – they were encrypted for a third time.
Why didn’t they take the infected hosts off of the network? They did. Or at least they thought they did. The problem was they didn’t know the extent of how bad they were infected. Likely a little bit of user awareness training would have helped this situation as well, but at the point where all of their files are fully encrypted its too late to think about that.
You name the vendor and they have a solution to stop you from being encrypted. It is likely based on cloud analytics, whether user traffic is routed through the cloud or the cloud talks to a device on prem. These solutions are a great defense and especially from the larger players in the space because they see traffic globally. Often times once they see the malware, its hashed so future attacks are thwarted rather easily.
If you determine this is the solution for you one of the things you will want to be aware of is that not only do you need to inspect http and SMTP traffic, but you also need to inspect https and TLS traffic. When I look at my customers’ ratio of encrypted to non-encrypted traffic it ranges anywhere from 50% to 80%. In other words if you are not looking at HTTPS, you are blind to at least half of your traffic.
User awareness training
This is either considered an obvious must-have by companies or its considered useless and a waste of time. It depends on the mindset. I can tell you from personal experience it is not a waste of time. It is also not the magic bullet that is going to stop all of your problems, but if you are not a security awareness believer, it will pay off over time.
When I do trainings I dub my students as human firewalls after the training. I start with the very basic of basics and I expand on it from there. I repeatedly drill the most important items home (don’t click on links in unexpected emails, don’t open attachments from unexpected emails, etc) over and over in every training I do. In order to keep them engaged I talk about current topics and I also relate IT training to home. If you have a home user with good security hygiene it will carry over to work.
It funny. Often times I will be walking around the halls at work and I will overhear someone talking about a human firewall. That is awareness. That is exactly its purpose.
Post infection defenses
You can get infected with ransom ware, but still not lose your data. When you get infected, before the files can be encrypted the encryption key has to be written back to command and control. There are a bunch of companies out there today that look for this key and try to block it. That’s great if its ransom ware, but what if its some other sort of attack. And are you also looking at HTTPS traffic or are you blind?
One of my favorite post infection strategies is the anti-bot blade by Check Point Software Technologies. What anti-bot does is it watches the wire for any command and control communication. If it sees it it’s blocked. This means you could potentially have a user compromised, but it’s not drastic because the attack was not successfully completed. This solution works not only for ransom ware, but for all types of command and control compromises.
Which is the best solution? The bet solution is a mix of all. You absolutely want to have your users trained and aware of what they are doing. You need to proactively protect yourself so hopefully, not many attempts will successfully make it to a user. You need to be proactive in blocking command and control communication because ultimately there is going to be a user that gets compromised. And along those lines you need to have a solid backup plan. So the simple answer is training, preventative, post-infection controls and solid backups.
Not only will the above strategy help you with ransom ware, but it is a comprehensive strategy in general for dealing with all malware.
Are you vulnerable?
Bad guys are getting crafty. At first they just encrypt home users, then regular users at a company. Next it was mapped drives and servers. Then they started to target verticals. Some of these verticals include healthcare http://www.healthcareitnews.com/slideshow/ransomware-see-hospitals-hit-2016?page=1. A famous one was the San Francisco transit attack. Right around black Friday the transit authority could not charge customers to ride so they had to let them ride for free. http://www.forbes.com/sites/thomasbrewster/2016/11/28/san-francisco-muni-hacked-ransomware/ Or more recently a luxury hotel http://www.thelocal.at/20170128/hotel-ransomed-by-hackers-as-guests-locked-in-rooms and a police department http://www.wfaa.com/news/local/cockrell-hill-police-lose-years-worth-of-evidence-in-ransom-hacking/392673232
So who is at risk? The easiest thing to do is to think about your business. Then determine if you did not have access to <fill in the blank> would you lose money or have the ability to still conduct your business. Think of every angle. Think of every possibility. If there are data that you take for granted, do not assume it will always be there. If you need that data to perform business functions have a comprehensive plan.
If you think long and hard and you determine that there is no such data, you can rest assured you are not at risk. However, if you come up with an angle where having data be rendered useless causes problems for your company you should look at a comprehensive strategy.