Ransomware – it might arrive as a worm, or a virus. Maybe it got to you through an infected web page, or a specially crafted PDF, photograph, or Word document. In the end, it doesn’t really matter. All of these potential problems mean the same thing – unhappy users, compromised systems, downtime, and business risks. The most prevalent style of ransomware is a category called ‘Crypto Locker’. This malware will encrypt some, most, or all of the data on your system – even including parts of your operating system and generally all of your user files (and it can include USB drives and network-attached drives) and basically holds you to ransome. The people developing the Crypto Locker attack will provide a ransom message on your computer instructing you to pay a fee in order to get your computer decrypted and make your data accessible again. Ransomware is on the rise – there are more ransomware attacks all the time, and it is the single fastest-growing segment of malware.
There are a few really important things to consider about ransomware incidents.
- You lose access to your data on, and through, that system. (Or systems. We’d like to hope that if we do get infected, only one system is a problem, but in reality, if one system has a problem, its not generally alone). This data is encrypted by the ransomware, so even if you find a way to boot into the system using an OS that isn’t compromised – maybe a USB stick, boot from network, or boot from DVD – the data is still going to be encrypted and unavailable.
- The odds are against you as far as taking a clean system and decrypting your data. Some of todays encryption algorithms are VERY time consuming to break – that’s kind of the point of encryption – and there’s no guarantee that the encryption on your computer is even using a standard algorithm.
- It’s entirely likely that your attacked has taken advantage of the flaw in your machine to pilfer your data, so any secret information – credit cards, passwords , trade secrets, customer contacts – should be considered to be ‘stolen’ and available to malicious persons and organizations.
- If you go through the steps and pay the ransom fee, there is no guarantee that your attacked is *actually* going to decrypt your machine. It’s not like you can complain to the Better Business Bureau and ask for a refund. And even if they DO decrypt it – there are no guarantees about the accuracy or completeness of your remaining data.
- Basically, if you get a machine that gets bricked by serious ransomware – you might as well treat it as if it’s been destroyed. You *may* be able to reinstall it as a net new, clean machine and repurpose it – but some varieties of malware can prevent this from happening properly as well.
At this point, most of us are reading this list and going ‘This is TERRIBLE!! I NEVER want to have to deal with this – what can I do???’
Like most things in life, there are no absolutes – if you absolutely need zero risk, then you need your system to be offline….. but there ARE things you can do to help minimize the risk, and control the damage. Here are five of the top things you can do to help ensure that Crypto ransomware doesn’t ruin your day.
One: User Education
This is probably the most important – and most often overlooked – option that any organization can employ to help protect their environment from ransomware. Train Your Users. Educate Your Users. If you’re an IT professional, a lot of what you’re educating them on may seem self-evident to you – I mean, isn’t it obvious to everyone that this UPS package email isnt’ from UPS, and they NEVER send these emails to end users? That’s got to be malware, right?
No. No, this isn’t obvious to everyone. Package delivery emails, donate to a flower fund for a funeral, look at this funny picture, please acknowledge this legal document email, please refresh your bank credentials – there are lots of avenues for malware creators to ‘market’ their products to your users. Emails, web pages – targeted attacks using social engineering by ‘knowing’ enough about your users to seem legitimate. Phishing scams looking for information are very common – and the information retrieved can often be used to crafted very targeted malware messages – and they get better crafted and sneakier all the time. For someone who’s profession isn’t seeing this stuff all the time, they CAN be fooled. A user who has never had a problem before, and hasn’t been educated on the issues, is much more likely to open that ‘tracking document’ to see what it is – or to run that ‘New Hilarious Game’ application. Assuming that other people know what the problems are just because you – the IT professional – knows what web pages and emails and jokes and documents are problems .. well.. lets’ just not make those assumptions. That’s safest for everyone. Be sure of your users.
This means that its truly critical for your organization to get training for your users – teach them about phishing, social engineering, malware attachments, phony web pages, and ways to protect themselves – and as a bonus, this protects your entire organization. Train and educate your users. You won’t regret it, and neither will they.
Two: Patch your systems
There’s a pattern to a lot of ransomware we’ve been seeing lately. It’s a pretty simple pattern, too. It goes like this: Major Ransomware and Crypto Locker attacks are exploiting known vulnerabilities that have had patches available for 90 days or more. WannaCry, as an example, couldn’t hit many organizations because they were already patched.
Now, there are problems with this. ‘My organization runs a ton of custom software and we need to test everything rigorously and can’t patch on a regular basis’. That’s the most common refrain around patching and upgrading. This is going to sound like a flippant answer, but it isn’t really – the solution is … you need to reprioritize.
It really is a matter of priorities. How much does thoroughly tested software help you if 200 of your 205 workstations are cryptolocked and have effectively been destroyed? Or if both of your email servers are destroyed because you run a custom integration with a calendar application? If you have real legal and regulatory requirements to complete testing prior to patches, put the effort in to optimize your testing and evaluation processes, and get them done quickly.
Many financial institutions in Canada have historically run years behind on software currency. When the Y2K ‘crisis’ was occurring, there were organizations scrambling to get applications off of OS/2 , because it couldn’t be made Y2K compliant. Today, with end-of-life announcements for Windows 7 and Windows Vista, there are organizations still running Windows XP – with all the security risks that entails. Organizations in this position are painfully aware of their risk exposures – and the buzzword project running through *all* of the related IT and security groups is ‘Currency’. Maintaining an effective security posture requires a minimum level of software currency – and the churn on this is only going to get faster. Deal with it now, get your desktops patched and current, get your servers patched and current, and get your processes and requirements streamlined with the proper investment to ensure your systems remain intact and available.
Priorities – doing business and operating your systems while NOT being compromised has to be a higher priority than having a long, complicated, unwieldy test cycle. Or perhaps you should rephrase it like this: Having an optimized test cycle that allows to remain current on software and security posture has to be placed in a higher priority.
If this was a true statement for the majority of organizations around the world, we wouldn’t have had a Wannacry problem. It’s currently far from the truth – don’t be the next newspaper story as a victim who could have avoided the problem because your corporate priorities aren’t helping you.
Three – Next Generation Behavior-based Client Anti-Virus Protection
Endpoint security can play a huge role in your environment. Traditionally, this has meant signature based antivirus – but there’s a huge hole in this kind of application. It’s the signature itself.
How long does it take to identify and classify malware, get analysis done on its behavior, develop a ‘file’ signature for what this risk looks like when being transported to your computer, and then push that signature out to however many million machines need it? It isn’t instantaneous – and while it’s happening, your endpoints are exposed. Clients, servers, doesn’t matter – if ransomware gets activated on the endpoint before your signature-based AV can find it, we are back to the 5 unhappy realities of ransomware – you’ve been compromised and the machine is best considered ‘destroyed’.
Next-Generation clients are available. These clients – similar to advanced Intrusion Detection/Prevention Systems – can do behavior-based analysis to determine when a file on your machine is attempting to be malicious. Pattern-based analysis for access to network drives, or underlying OS mechanisms; attempting to rewrite files in large scale, or to write into the boot sector, or secondary boot files of your OS; network scanning, or attempts to access ‘risky’ identified networks for botnets and command-and control networks; unusual broadcast activity in the local LAN environment – and many more behaviors – these analyses can find ‘risky’ files and applications, AND can send these apps up into a security cloud for analysis. While they are at it, they are an effective protection against ‘zero-day’ attacks – attacks for which no signature exists and where endpoints that only have traditional AV are exposed.
The added benefit? No huge signature database means a smaller memory and performance footprint, and a smaller impact to your user experience, while still providing exceptional levels of protection for your endpoints. Symantec Endpoint Protection v14, Palo Alto TRAPS, Cylance and others, are example clients that help protect your organization right out to the user desktop.
Four – Next Generation Firewalls with Threat Protection
NGFW appliances have some capabilities that traditional firewalls simply didn’t have. Some of them are critical in today’s threat landscape. Much like the Endpoint Next-Gen client, the firewall has new methods to detect malware. File downloads are checked against databases of known files – but can also be checked against a ‘security cloud’. Files that are unknown can be ‘trickled’ at a slow download rate into the firewall (and end user) while they are uploaded into the security cloud for analysis in a safe ‘sandbox’ environment. Between the NGFW appliance performing inbound malware analysis and cloud ‘sandboxing’ , your Endpoint clients won’t have large amounts of ‘unsafe’ material to investigate, and the combination presents a high level of safety and security for your environment.
WannaCry, as a recent example, was found, detected, and blocked by Juniper, Fortinet, and PaloAlto firewalls as a zero-day attack. No signature required, but the advanced threat and behavioural engines provided by all three firewall vendors kept customers with the NGFW solutions deployed safe.
Be safe – ensure that your organization isn’t relying on port-and/or-signature based firewalls for all of your network perimeter protection. Leverage newer NGFW capabilities and maximize the effectiveness of your security stance.
Five – Next Generation Email Gateways
Just like client Antivirus, and NGFW appliances, email gateways are evolving and growing too. A huge percentage of malware entering a network arrives via email. Email attachments are often not properly analyzed at the firewall – they may be encrypted, or zipped through multiple layers of compression that can – on occasion – get through your NGFW. Or it may be a file type that has some special requirements – not that the NGFW is ineffective, only that the very determined attacked is, occasionally, going to sneak something through. In most cases today, that route involves email.
Now, lets imagine that you had purchased an email that stores, uploads/sandboxes/detonates, analyzes, and either quarantines or releases email.
How big is your Internet connection – a 100Mb connection can , in theory, bring 8PB (petabytes) of data into your network in seven days. Lets assume , though, that you only have 10% usage – that’s only 800TB…. so next week – lets assume that 1% of that is malware (this is a conservative estimate for most -organizations). That’s a staggering amount s 8TB of pure malware. If your firewall stops 99.9% of the malware , that still leaves you with 8GB of malware inbound to your network – and most of it is probably in email. I suppose we could count on our client endpoints to capture that 8GB as it arrives on each desktop and server – as long as every machine is patched and up to date on all its clients, and not one machine has been missed or has another problem.
Or you can have your email gateway upload, sandbox, detonate, and analyze all of your attachments before they go to your various endpoints – and if your email gateway gets 99.9% , your endpoint clients – combined – only have to deal with 8 megs of potential malware. That’s likely only going to impact one or two machines in your network – and they have NGFW antivirus/anti-malware software to protect them from that last threat.
Defense in depth – layered security. Powerful perimeter defense with a dedicated, purpose built firewall to stop the vast majority of threats; powerful intermediate security at your email server to ensure that your organizational messaging is clean and safe, and distributed endpoint security at your general-purpose endpoints that can help stop remaining threats without negatively impacting your user experience. And in the rare event where something still gets to the desktop machine, your user is educated enough to know not to open that attachment, and if they do open one by accident, their desktop is already patched and current, and turns out not to be vulnerable to that attack.
These things may not *always* line up this way – no one is going to guarantee 100% detection against every threat, every time, at every level – but look at the numbers, look at the odds, and give your organization the best security posture you can manage – take five steps to secure yourself.