Ransomware is the extortion-driven malware epidemic sweeping the globe. There are a large and growing number of Ransomware programs all with variants being created on a daily basis in order to evade anti-malware tools. As with WannaCry, the designs may increasingly use worm-like capabilities, allowing the malware to spread automatically and rapidly. Most Ransomware infections begin with either inadvertent execution by a user via a phishing attack on email or result from direct insertion during a hacking attack.
Whilst there are no shortage of Ransomware articles and advice there are also a number of misconceptions concerning how to prepare for and respond to incidents. I have described some of these misconceptions below and also outlined my generic guidance for organisations to put in place protective measures and procedures as well as being prepared should the worst occur.
Good Intentions: Confused Advice
You may see the standard recommendations for security are replicated for Ransomware. Whilst they are good general security practices and you should follow them they will NOT help you specifically in relation to Ransomware. Examples include:
1. Install anti-malware and keep it updated: the whole reason many Ransomware incidents are occurring is precisely because anti-malware tools are not effectively blocking it. Please note I use the word ‘effectively’ because, whilst AV solutions will protect you against known malware, incl. Ransomware, they are not blocking the new strain variants and this is causing angst in many boardrooms where executives assume that using AV should afford them the protection they thought they were paying for. Some security software vendors are raising their game and some take refreshingly different approaches which are more effective but at present reliance cannot be placed on this control alone.
2. Use a firewall: Again, whilst good advice, this safeguard is not specifically going to protect against Ransomware any more than border passport control is going to stop an Ebola carrier.
3. The WannaCry Ransomware has been disabled: whilst the superb work of Marcus Hutchins, a.k.a. MalwareTech, did indeed result in the prevention of the NHS strain of the Wanna Decryptor, it is sadly the case that a new variants that operate without the ‘kill switch’ have already been reported. In addition, there are a huge number of other Ransomware variants in the wild which are just as damaging.
4. Applying the Microsoft security patch will protect you: whilst applying the security patch, (MS17-010) will address the specific vulnerability which the WannaCry (Wanna Decryptor) Ransomware exploited in order to spread and so it is vital that it is applied where needed, this patch will not protect your systems from Ransomware generally.
In order to clarify for you, here are the risk scenarios which may apply to your organisation when it comes to Ransomware:
Scenario A. You have not yet been hacked/phished and infected. Preventative measures or preparedness not yet in-place. You’re OK, (for now) but need to ensure your security and preparedness as a matter of urgency.
Scenario B. You have implemented preventative measures and have experienced a Ransomware incident but were able to interrupt infection and spread. You’re OK but must ensure that your IT specialists do suitably alert you to future ‘near misses’ and that you regularly review the need for improvements in your security.
Scenario C. You have implemented preparedness and have been targeted and infected but were able to recover without paying ransom i.e. you were able to restore your systems from backups. You’re recovered but at some cost. Consider how the impact might be reduced in the future with improved security or plans.
Scenario D. You have experienced a Ransomware incident but had no preventative measures or preparedness to manage the incident, you paid the ransom. You’re recovered for now, though this isn’t guaranteed because you may now be on a suckers list for further targeted attacks. You may also have inadvertently paid money to terrorists!
Scenario E. You have experienced a Ransomware incident but had no preventative measures or preparedness to manage the incident, you refused to pay the ransom. You have not managed to recover the encrypted data and have instead taken the hit. If the incident is recent, all may not be lost, look at point 4. in my recommendations for initial response to a Ransomware incident below.
Ransomware Preparation and Prevention
There are other important points which are not being conveyed. Here are my 5-points for preventing and preparing for Ransomware attacks.
Ask your IT specialists to give you assurance on these five points as part of your cyber security arrangements:
1. Security Updates: Continuously upgrade all obsolete/unsupported systems and ensure all systems are set to automatically apply the latest security updates and AV signatures.
2. Data Backups: Check data backups or system snapshots to ensure they are very recent and disconnected/air-gapped from your network once complete. Review your backup regime to give you the optimum recovery options including separating backups of OS, configuration as well as user data. Also, consider the use of shadow copies and virtualization (snapshots and regular clones). Ensure offsite backups are encrypted. If using cloud services then regularly pull backups down and store them securely offline.
3. Email Security, Web Filtering & Awareness: Ensure email and web traffic is passed through regularly reviewed and effective content filters and that all users are made aware not to blindly trust email messages. Phishing tests are recommended.
4. Access Control: Regularly review user access permissions to data and restrict them to the absolute minimum needed. Ensure firewall configuration is reviewed and that only those ports/protocols absolutely needed are available and egress filtering is deployed. Ensure networking is segregated, i.e. VLANs, internal firewalls and DMZs, and that applications are compartmentalized e.g. using tools such as docker. Ensure that generic app->database accounts are not used. Minimise the use of administrator privileges and Active Directory is configured securely and not vulnerable to privilege elevation.
5. Improving Authentication: Implement two-factor authentication, especially for access to all remote access and online services, many of which should now be offering 2FA. This control will reduce the risk of hacking followed by a Ransomware drop on your network.
Initial Response to a Ransomware Incident
Upon detection of Ransomware affecting your networks take the following steps.
1. Isolate: Disconnect network cable(s) from back all of computer(s) and wireless routers, firewalls and switches and immediately power each device down. Disable wireless access points. Do not power down your website or database servers unless you have a strong suspicion they are affected. Ensure that all remote access is disabled.
2. Initiate Identification: Take immediate steps; whilst user memory is fresh, try to ascertain the method by which your systems became infected. Who was the user of the first computer (desktop/laptop/server) to notice and/or report the infection? Is there a likely group who may have shared messages or documents? Is receipt of a particular email a likely source? Also, consider users with remote access. If you need to access certain systems in order to determine this then please preserve this potential evidence and wait for specialist advice.
3. Begin Containment: Identify those systems which you are certain are affected and mark them as such (use a sticky note) and remove the power cable to ensure users do not switch them back on. Consider the best approach to manage staff awareness and availability along with the need to initiate your business continuity plan.
4. Plan Recovery: Check your backups (incl. snapshots) ensuring that any restoration would not inadvertently restore the Ransomware. Give some thought to the most recent copies of files you may need that are stored in email mailboxes (as attachments) and on cloud-based file sharing. Call back any offsite backups. Do not initiate restoration before receiving specialist advice but be ready.
5. Control Communications: Do not pay the ransom or in anyway initiate communications with the criminals. Do not initiate any reporting or communications with any third parties before receiving legal and crisis PR advice.
Please note: all advice given above is offered generically and is based on many years of experience in managing cyber incidents generally and Ransomware incidents specifically. However, this does not take into account specific IT implementations or situations. As such, no liability can be accepted for any losses which may result.
About Neil Hare-Brown
Neil has spent his career in the field of Cyber Risk, Information Security and Digital Investigations. He has founded STORM Guidance in 2014 and previously formed Blackthorn Technologies (formerly QCC) in 1996 with the founder of the Met. Police Computer Crime Unit and Policy Advisor to the National Hi Tech Crime Unit.
With a technical background specialising in the security of operating systems and security components, Neil has worked in Finance at Natwest as an IS Auditor and as Information Security Manager at Charterhouse Bank. In the last 18 years he has concentrated on support for law enforcement in the investigation of computer crime for the Police, Government and international commercial organisations.
Neil has performed forensic analysis in a number of fraud cases and has recently formed a new Advisory company, STORM Guidance, specialising in helping organisations build and enhance effective Cyber Risk and Cyber Incident Response and Management. Neil is the creator of the Blackthorn GRC system and CaseNotes mobile app.
With an MSc in Information Security from Royal Holloway and as a GRC Professional and Certified FAIR Analyst, Neil brings a practical approach to risk management and in helping organisations to respond to and manage cyber security incidents, the subject of his book “Information Security Incident Management – a Methodology”.
Follow STORM Guidance on Twitter: @STORMComms