Skull and crossbones adorning a pair of Alexander McQueen boots, um yes, please. Skull and crossbones flashing across my PC, uh no, thanks. While the former speaks of swashbuckling ready-to-wear, the latter reeks of I’m a victim of ransomware.
When ransomware strikes, there aren’t many options for response and recovery. Essentially, you can choose to:
● Pay the ransom (and hope for the best). If you don’t have the very particular set of skills of Bryan Mills, you may decide to pay the ransom. It’s a choice, however, that comes with a few caveats. First, you need to have adequate cryptocurrency or the ability to convert traditional currency—either way, it’s neither cheap nor easy. You must also accept that there are no guarantees. Negotiating with cybercriminals could send you down a slippery slope. If you pay, hackers may or may not give you the decryption key to unlock your data. They may only provide partial access and demand more money. They may—in fact, it’s highly likely—strike again since they know you’re susceptible. And finally, they could use your payment to aid or fund illicit operations, including terrorism, that are in violation of domestic and/or international law.
● Not pay the ransom (and hope for the best). If Bryan Mills is more your style and you decide not to pay the ransom, it’s important to save the infected drive for future analysis. At some point, a security researcher could very well crack the encryption code on that version of ransomware and enable you to regain access to lost files.
● Restore data from backups. Option three assumes that your organization has comprehensive backups stored completely offline and separate from the compromised network.
● Nuke and pave. Sounds dramatic, I know. But if you don’t have backups and either can’t or refuse to pay a ransom, you’ll likely be forced to rebuild the impacted infrastructure from the ground up. Good times!
Okay, not good times and not great choices, but as a whole, they do a great job of highlighting the importance of taking proactive steps to prevent infections. The tentacles of ransomware can reach far and wide. It’s not just a potential hit to your purse strings. When you lose access to data, you lose time, you lose productivity.
No More Would’ve, Could’ve, Should’ves
Instead of having to choose from lousy reactive options, wouldn’t it be better get proactive and implement some practices that could help prevent ransomware infections in the first place?
Patch, Patch, Patch!
If you’re like most, if not all, organizations, you have software installed on your systems. Software comes with vulnerabilities, and attackers love to exploit vulnerabilities. No doubt you’ve heard it before, but instituting and adhering to a solid patch-management policy cannot be stressed enough.
Patching is a simple and effective way to help defend against ransomware. It should be a regular, habitual routine, whereby organizations update often and update everything—from laptops and desktops to servers, mobiles devices, operating systems (Windows, macOS, Linux/Unix), endpoint security (antivirus/antimalware software), web browsers, anything that connects to the network.
Educate, Educate, Educate!
Sad, but true, end users are most often to blame for ransomware attacks. Either they fall prey to a malicious phish or drive-by download on an infected site. Why? Maybe they didn’t know better. Maybe they forgot. Maybe they got lazy.
While it’s encouraging to see that more and more organizations are now requiring employees to attend security-awareness training programs, it doesn’t necessarily mean that everyone retains what they’ve learned. Therefore, education should be ongoing and encourage hypervigilance to the point where it becomes second nature for users to always be looking for signs of malicious intent and triple-checking sources before clicking on links or opening email attachments.
Block, Block, Block!
Let’s talk vulnerable systems.
A colleague of mine once worked for a company that was hit by a rash of ransomware. As a member of the incident response (IR) team, he and his team wanted to get to the bottom of the issue. For about a month, they looked into end-user browsing habits, personal email usage, attachment opens, anything that might reveal patterns of behavior and help to pinpoint initial infection vectors. What they found was that nearly 95 percent of all identified infections came from exploit kits attacking system vulnerabilities.
The more they researched, the more they kept returning to two invaluable blogs: Malware Traffic Analysis (MTA) and Broad Analysis (BA). Maintained by security researchers, these blogs, which offer threat intelligence on network traffic associated with malware infections, triggered a “Eureka!” moment. The team IR thought, “What if we were to scrape MTA and BA every morning for new ransomware domains and IPs and, accordingly, put in blocks at the firewall and web proxies?”
Their intent was to stop an infection in progress, before a second-stage downloader could be executed. Sure, a user might still open a malicious attachment or fall victim to a drive-by download and subsequent infection, but if the command-and-control (C2) domains and IPs were blocked, the team would have a fighting chance to stop a full-blown infection.
The team tested their hypothesis and the results proved amazing. Day one after putting up blocks? No ransomware infections. Day two? Three? Nothing.
It had taken creativity and a certain set of skills, but the battle against ransomware had been taken to another level—and overcome.