This is the second article in our 10-part series for National Cybersecurity Awareness Month. Look for new cybersecurity topics explained by Alpine Cyber experts every Tuesday and Thursday in October.
Behold the Villain – Now in Digital Form
“We have your family. We want $2,000,000 in unmarked $2 bills; in a tan duffel bag; in the Logan Square Fountain by 9:00 PM…or you’ll never see them again.”
We’ve all seen this movie. Dastardly evil-doer holds something precious over our dashing hero’s head demanding ungodly sums of money for its release.
Sadly, this is no longer limited to Hollywood schlock suspense films and Liam Neeson’s poor on-screen children. It’s happening in companies and to everyday people on a regular basis.
How Ransomware Works
Installation and Execution
Dastardly evil-doer gets a piece of malware onto our hero’s computer, and then our hero unwittingly executes it.
Dastardly malware does something bad on our hero’s computer. That could be:
- Searching for and encrypting files of a valuable type (i.e. .doc, .pdf, .xls, etc.)
- Encrypting our hero’s entire hard drive
- In some other way preventing our hero from accessing his or her files
Spreading to Other Systems
Often, dastardly malware will then try to spread itself within the organization by finding open connections to other computer or file shares, and exacting its evil plot on those unsuspecting targets as well.
Dastardly evil-doer then demands a sum of money usually in the form of the cryptocurrency flavor of the week. He claims that in return he’ll provide the key for our hero to release his or her poor defenseless files/computers from the clutches of evil.
What would you do? Our hero has two choices at first glance:
- Pay the ransom and hope Dastardly evil-doer keeps his end of the bargain.
- Not pay the ransom and our hero’s IT department deals with the repercussions of not being able to get that data or computer anymore.
Sounds nasty. Our poor hero has a very slim chance of coming out of this with a smile.
But what if it didn’t have to be that way?
How to Recover from Ransomware, Without Losing Your Bitcoins
There is a third option. Our hero’s IT department goes Liam Neeson on Dastardly evil-doer and exercises its very particular set of skills. They’re prepared with recent backups and a well-tested incident response plan…
Detection and Analysis
The first part of the plan is to find all of your infected computers and shares. This may mean monitoring the network for traffic indicative of the infection, keeping an eye on anti-malware logs, watching file shares for signs of new infection, monitoring the firewall for outbound traffic to the Dastardly command and control servers, or any other means by which the IT Security professionals can detect infection. This takes some environmental knowledge and practice. Knowing what “normal” looks like on the network helps.
Containment, Eradication, and Recovery
Then remove the infection by quarantining the affected computers and re-imaging them if possible. I never trust an anti-virus cleanup. Don’t fall in love with the installed OS. A fresh start is freeing.
If it has spread to multiple machines, be sure to get them all! Make sure you’re watching network traffic and file shares to be certain you don’t see any additional signs of infection throughout this phase.
Restore any lost data from those recent, well-tested backups.
This would include training the users, and tuning your mail and content filters. Then you would identify and fix the root cause of the infection.
Instead of exercising those particular set of skills, many IT departments drop the ball. Backups are old. There’s no incident response plan. Even backups and plans that do exist haven’t been tested in years, so they no longer work.
There’s not much to do here other than to pay the (hopefully reasonable?) ransom, hope it works, and implement a more comprehensive security program so it doesn’t happen again next time. Shameless plug for Alpine Cyber’s CISO-as-a-Service!
How to Prevent It from Happening Next Time
Users are our greatest asset and our most vulnerable liability, all rolled into one. It makes sense to train them!
Annual Security Awareness Training
Nobody likes to sit in a big room and talk about security. But sometimes we have to do things we don’t like, because it’s the right thing to do. At least once a year, make sure everyone gets a full-fledged training session on information security as a whole, on your company’s acceptable use policy, and on any recent or upcoming changes to the security program.
Regular Phishing Exercises
Keep your employees frosty. Every month, send them a test phishing email with one of the major vendors’ phishing products. See who opens it. See who clicks the link. See who gives up their credentials. Train those who fail. Discipline those who fail repeatedly. Trend it and make it visible. This is powerful!
Don’t have time? Outsource it!
Tune the Filters
Tune your spam filter to be more aggressive about stopping shady e-mails. Don’t have a spam filter? Get one. And make sure it’s one that handles quarantining messages, sending digests to users, and self-service release of expected messages. This is one of the rare capabilities that doesn’t have to add more burden to your security team.
Make sure your web content filter is configured to use a whitelist rather than a blacklist. If you deny all traffic, only allowing certain sites or categories of sites, the chances of your ransomware being able to talk home to get the keys it needs to do the encryption go way down. It can be painful at first, responding to users’ floods of requests. But it gets better. And it makes you WAY better.
Equip Yourself and Your Team
I didn’t expect this to be such a long post. But this is a huge risk to companies of all sizes across all verticals, so I didn’t want to give it too shallow of a treatment.
Don’t be a victim. Develop an incident response plan. TEST IT by doing tabletop walkthroughs, at a minimum. And keep your users vigilant.
Oh, and these same ideas apply to home scenarios with the following takeaways:
- BACK UP YOUR FILES! Do it regularly (i.e. continuously). And test the backups from time to time to make sure they’re working and restorable.
- PATCH YOUR STUFF! We have a whole blog post on vulnerability management coming up later this month. Patch all the things. Computers, phones, network equipment, smart thermostats, connected light switches. EVERYTHING. You never know which vulnerability the bad guys may use to get into your stuff.
Photo of Liam Neeson in Taken, distributed by 20th Century Fox