Understanding Ransomware

By Clayton DillardCyber Threat Spotlight

CYBERSECURITY SPOTLIGHT: RANSOMWARE

Ransomware Defined

Ransomware is a class of malicious software (malware) that holds the victim’s computer system and data hostage with a demand for a ransom payment to restore access.  Ransomware typically uses file level or full disk encryption to effectively lock the victim out, preventing access to their system and/or the data on it.  The effects of a ransomware attack can be devastating in terms of data loss, business operations, and compliance with privacy laws.

We hope that this article helps you prepare and plan for a ransomware attack, and that you come away with some prevention and containment strategies as well.

Infection and Spread

The means of infection or the attack method can be called the “attack vector”.  Ransomware can use any one of a number of attack vectors such as, USB sticks, links and attachments sent via email, and multi-stage web attacks such as where a vulnerability in a web browser plugin is exploited and the first-stage malware is used to download and launch ransomware in the second stage.  Ransomware variants such as WannaCry use worm-like code to spread from host-to-host by exploiting a vulnerability in Microsoft’s SMBv1 protocol.  Additionally, several variants of ransomware are programmed to look for shared files and folders on Windows networks (primarily) and will encrypt data on those shares if possible.

Limit the damage by using the Principle of Least Privilege since most malware runs with the permissions level of the user who executed it.  The point is that malware can be very sophisticated in some cases, and businesses need to be aware of this and take appropriate action in advance of an incident.

Action Plan

The wise adage “An ounce of prevention is worth a pound of cure” holds true, and we vigorously advocate prevention and risk management because a security intrusion or breach can put a lot of SMBs out of business, and even if that’s not likely for your business, incident response services are expensive as are legal fees and every other cost that goes into responding to and recovering from a breach.  However, prevention is not always possible so we need to be prepared to fail in a way that ultimately leads to a positive outcome for us and for our partners and clients.

Essential ransomware preparation steps include taking frequent full and incremental backups of important data and storing the backups in an off-site location, compartmentalizing your network so that you segregate systems and data by department, sensitivity level, or other attributes and thus limit the ability for worm-like ransomware to spread laterally, review your business insurance policy and consider adding coverage for cyber events such as ransomware and other attacks, and establishing a relationship with a trusted cybersecurity partner whom you can contact to get help in the event of an incident.  You should also consider planning ahead and establishing procedures for how and when to communicate with clients, partners, suppliers, and other parties should a ransomware attack disrupt services or put sensitive information at risk.

There are some fantastic ransomware detection and prevention products on the market, such as Sophos Intercept X and we advise our clients to go with a leader in this area.  In addition to endpoint security solutions, there are new and emerging AI and Machine Learning based products that can detect and sometimes mitigate ransomware at the network level.  We recommend establishing a regular and consistent patch deployment schedule where security updates are applied to address critical vulnerabilities.  We also recommend clients conduct regular and consistent vulnerability scanning of their internal and external networks and devices to identify issues and prioritize remediation based on criticality.  We have worked incident response engagements where a simple vulnerability check would have revealed a weakness that was ultimately used to infect the target with ransomware.

There is no such thing as a 100% secure system so intrusions, malware infections, and breaches will occur.  When prevention fails, being able to detect malicious behavior, including ransomware, can be essential to containing the threat and limiting damages.  Threat intelligence and intrusion detection systems are not a one size fits all, so be sure to do your homework and find a partner who can help you choose the right solution for your business, budget, and needs.

We advise our clients to take the approach that recovering from ransomware will not involve rescuing their data from an infected system.  If that’s their game plan, they are playing to lose.  Your ability to recover will depend on your level of preparation, the detective tools you have in place prior to the incident, and your skill level in terms of incident response.  The recovery process will include containment and eradication of the ransomware, identifying and closing out the original attack vectors, and restoring systems, applications, and data from viable backups.  This will also help you identify gaps and areas of improvement needed in your overall information security program, which should be prioritized and remediated according to your business needs and risk tolerance.

What’s Next for Ransomware?

So far, the majority of the ransomware we’ve seen only encrypts victim data at rest on the affected systems.  This puts the hackers at somewhat of a disadvantage as more and more businesses and individuals are catching on to the need to perform regular off-site backups, meaning that the hackers are less likely to get paid to restore access to the victim’s data.  We believe that hackers are going to begin moving toward extortion techniques where instead of just encrypting victim data as-is on their system, the hackers will siphon off valuable data and threaten to release it if the ransom is not paid.  The obvious problem with paying the ransom in this case is that there is nothing stopping the hacker from returning your data to you while also selling it on the black market to make twice the profit, which means you still have a data leak problem.

If you would like help with preparation and planning, or with evaluating and selecting the right prevention and detection solutions, we are here for you.  Legion Cyberworks provides consulting and advisory services around compliance, cyber-attack preparation, and security program best practices, and we partner with leaders in the cyber-security industry so that we can deliver world-class solutions that are right-sized for your business.  Already experienced an intrusion, malware incident, or breach?  We can help with incident response.  Call or email us to get connected with one of our friendly and knowledgeable staff whose sole job is to help you solve your cybersecurity problems.