Definitive Ransomware guide for business in 2019
Table of Content
1.0. Know your enemy – understanding ransomware and how it works
1.1. What is ransomware?
Many strains of ransomware force victims to take action by incorporating an expiration date into the ransom demand: if the ransom is not paid by a certain date, the decryption key will be destroyed and all ransomed data will be inaccessible forever.
1.2. Is ransomware the same as malware?
1.3. Where does ransomware come from?
1.4. How can ransomware get onto my network or computer?
1. Self-propagated infection – much like a virus, some strains of ransomware can automatically probe adjacent computers on a network, and “jump” from one host to another, spreading automatically by exploiting certain charactistics and services of a computer’s operating system or application software.
2. Manual infection – involving hackers who can break into systems (via a variety of methods, such as weak passwords, vulnerabilities in protocols such as RDP, or zero-day exploits) and then manually install ransomware in order to monetize their break-in.
3. “Hapless user” infection – where users unknowingly infect themselves by clicking on links in spam or phishing emails, plugging in USB devices, or visiting websites that have been sabotaged.
We describe this in more detail later in the article.
1.5. How does ransomware affect your computer systems?
1. To prevent it from booting. The Petya (2016) strain attacked the Master Boot Record (MBR) of machines to hijack the computer and demand ransom from the user.
2. To allow booting, but otherwise deny access to data. Here, ransomware will looks for data that it thinks has value, like documents and databases, and encrypts that data so that you can no longer use or view it.
1.6. What happens when you are infected?
1.7. How common is ransomware?
2.0. Staying a step ahead - how ransomware gets into your network
2.1. Anatomy of a network breach
This graphic shows the 3 common ways ransomware uses to spread: internet connections, email attachments and infected removable drives. Once it’s on a machine in your network, ransomware can detect all the workstations, servers, laptops and other local networks and spread to them as well.
Let’s take a closer by examining 5 ways ransomware can spread into your network and onto your computers
The internet threat
The attached device threat
Jane uses a USB thumb drive to back up her work laptop. She loses the USB, and gets another one from a drawer at home. At some time in the past the USB was infected with ransomware. She plugs the USB into the laptop, then securely connects to her company network using a trusted laptop, and the USB deploys its ransomware to the company file server. It then spreads, infecting the whole company.
Kim recently made a purchase online with a reputable company. After making the purchase, the company’s online advertisements start showing up in her social media. One add prompts her to consider another purchase but she changes her mind. Unfortunately, that’s not the end of it. Hackers have injected malware into the company’s advertisements and Kim and thousands of others notice the computers they used to view the advertisement at work and at home, now have a new flashing message – this time its ransomware.
The email threat
Although this is one of the oldest forms of ransomware propagation, the McAfee Advanced Threat Research team’s August 2019 report shows that user execution attachments are still used, and threat actors often the survey large organizations before sending the emails due to the lucrative returns.
Dave in HR receives an email titled ‘Job application’ with a PDF attached. The email makes sense and Dave opens it to find a poorly written resume for a generic job. He closes the PDF, not knowing that it ran a macro and installed ransomware. Ten minutes later the ransomware has encrypted Dave’s PC and spread to all company PCs and servers. The company is now unable to function or access critical data.
2.2. Honorable mention - 0-day exploits
3.0. The big reveal – what Ransomware does once it’s on your computer
GRAPHIC or spreading from 2 PCs to 6 to 30 etc
Ransomware will stay hidden and operate in the background locating data it thinks is valuable. For example, everything in My documents, in a folder called photos, all Microsoft Office documents, and files that look like databases. Once encrypted, the files will often appear as files with no application association and if you open them they shows gibberish.
Once your important files have been encrypted, the ransomware will display a notification. This notification could be an open text file or, more commonly with new ransomware, a flashy hard to miss browser graphic.
2 examples of ransomware notifications
3.5. A ransomware notification will usually:
Advise that your data has been encrypted
Tell you how much to pay
Explain how to pay
Tell you what will happen when you pay
4.0. The business model - how ransomware makes money and how bitcoin is involved
Ransom demands ask to be paid using cryptocurrency, usually bitcoins, because they use digital wallets that are anonymous – and therefore appealing to cyber criminals.
4.1. $ How much is a ransom
Ransoms range from a few hundred dollars to over a million, and average in the thousands. Ransoms have been increasing each year and almost doubled in 2019 to an estimated $12,000.
4.2. $ Additional costs of an attack
Ransomware response firm Coveware’s 2019 ransomware report estimates that the average downtime due to a ransomware infection is 7.3 days. That’s over a week’s lost income and does not take into account the cost of managing the recovery process.
2019 has seen many attacks on public institutions and has a high success rate with counties and schools
as ransomware payment
4.3. $ Does paying a ransom fix the problem?
The lesson here is that if you pay, it may not be the end of it. You could be target again and, as explained in the backdoor section, all impacted servers and machines will still need to be rebuilt.
4.4. $ How do you pay a ransom
This process itself can be a problem because it takes time (often over a week) for an account and wallet to be verified by the exchange, and ransoms often have a limited window of time to make the payment.
A recovery is what companies that pay ransoms
A recovery is something every company is
The 10 BUILDING BLOCKS OF A SECURE BUSINESS
10 key steps to protect your company and data from ransomware
Unfortunately, there is no silver bullet for ransomware. It’s impossible to guarantee that you’ll be protected against every attack in the future, because:
1. Machines are never infalliable (so zero-day exploits and vulnerabilities will always exist)
2. Users will always make mistakes.
However, if you follow these 10 key steps to cyber-resilience, you’ll safeguard your organization and its future by taking positive and effective steps towards both prevention and remediation.
1. Prevention steps are designed to stop ransomware from infecting your machines.
2. Remediation steps enable you to recover from an attack.
Given that prevention is never 100% effective, we always recommend combining it with remediation as part of a holistic cyber-resilience strategy.
Use anti-virus software and email filtering
Have antivirus software installed on all machines. The software should be updated regularly and scan files that are opened and sent.
ACTION : check that the antivirus on all servers and desktops is updating correctly.
Set up email filtering on your mail server. Email filters check for spam, emails from suspicious sources, known malware and ransomware, and can also check emails with attachments.
ACTION : check that your email filtering is configured to protect your from ransomware. For example criteria that checks emails addressed to people in your domain that don’t exist.
ACTION : Put a process in place to review and implement security updates. Any high to extreme risk vulnerabilities should be patched in 48 hours.
Patch and update your computers
All server and desktop operating systems should be kept up to date with patches. These patches often include security enhancements based on new threats and exploits.
Patch and update your software
Most applications include processes that access the internet making them open to exploitation by ransomware.
ACTION : Audit all applications to ensure they are securely configured and patched. Check for applications that are no longer supported, as they may need to be upgraded. Applications like Flash, web browsers, Microsoft Office, Java and PDF viewers in particular should be patched.
ACTION : Configure your web browsers to block Flash and Java if those features are not needed, and review any Microsoft Office macros that access the internet.
Secure any remote access points
Remote tools like RDP (Remote desktop protocol) allow remote access to computers for remote work and system support. RDP is a frequent target of ransomware and must be configured securely.
Do not use simple or default credentials
ACTION : Check your user password requirements and ensure all RDP passwords are strong.
ACTION : Check that administration privileges have only been given to users and process that need them, and that they are only used for tasks that need those privileges.
ACTION : Check how often data is moved or shared in your business or organization using removal drives, and if a safer option could be used – such as Dropbox or Google Drive.
Be careful with attached devices
Manage the use of removable storage devices such as thumb drives and USB drives on company computers. Restrict access to removable drives and devices that are used for backups and keep them safe.
Promote user awareness
Even though you will have anti-virus and email filtering software installed, no software is infallible. That means user awareness is also important to protect against ransomware that arrives through messages and emails that contain links or attachments. They are worded to encourage users to trust them and open the link or attachment. It is important for users to understand this threat and to exercise caution with all such emails.
ACTION : Develop an suspicious email checklist and distribute it to all staff
This email checklist could include the following:
- Does an email’s wording sound vague?
- Does an email’s address look correct for who the email purports to be from?
- Does an email’s address have modified spelling to make it look like a trusted source?
- Are there any spelling errors in the main part of the email?
- Is there a sense of urgency?
- Do you recognize the attachment’s file extension?
If the answer to any of these ‘ is yes, then there is every reason to be concerned and your IT support should be informed. If you have the option, call the sender to verify the email.
- Administrators can add extra hard drives or Network Attached Storage but forget to change their backup configuration to add the new storage devices to the backup
- Backup media – such has hard drives – can become worn out over time and stop working
- Hackers can disable or sabotage the backups ahead of a ransomware attack, to make it impossible to recover.
- Look at the section below for guidance.
- Look at online resources for guidance
- Get input from stakeholders and IT staff.
- Test your Ransomware Response Plan by performing the documented tasks
- Get approval across the business
- Distribute the Ransomware Response Plan and train staff in how to use it.
ACTION : Review this list and note any items worth following up for your business
1. Have a specialist security consultant review your vulnerability to ransomware
2. Audit you systems to see if any of them should be upgraded to more secure versions
3. Look at network and computer security training opportunities for your staff
4. Budget for an annual system recovery exercise
5. Initiate a review to ensure all systems have adequate backups with secure destinations
6.0. Zeroing in on backups – are your backups and backup plan ready for ransomware?
6.1. How many of the 5 keys to a successful best practice backup strategy do you use
I use the right backup type
The right backup type for you will be one that successfully recovers a computer from a backup to a new or reformatted disk. It is possible to recover from a file-based backup - that is, you back up only your files, but not your system. However if you do, you’ll have to rebuild your machine, install the Operating System and all applications, and make any required configuration changes. This might be easy if your organization uses a Standard Operating Environment (SOE), but for SMEs who do not use SOEs, this is going to be troublesome and result in more downtime. If that is the case, we recommend creating full image backups of your systems. An image is a snapshot of the operating system and all data on the disk, and it can be used for a bare-metal recovery.
I use a secure backup destination
If your backups use destinations you can browse to then ransomware can infect them. The best option it to always use secure backup destinations. These are often called an offline or air gapped destinations. Examples are media that are disconnected after each backup and authenticated cloud destinations that ransomware cannot spread to.
Warning: If you do use a destination that you can browse to, you must have additional backups that ransomware can’t reach. E.g a weekly backup to a cloud destination, but this means your recovery point is a week old. The best option is to always use secure backup destinations.
I know my Recovery Point Objective
When a computer is recovered from backup, it will be recovered to how it was at the time the backup job started. If your mail server is recovered using a 3-day old backup, you will lose 3 days’ worth of emails. Your recovery point objective (RPO) is how long a gap your business can afford to go back in time - and therefore how frequent your image backups to secure destinations should be made.
I test my backups
Unless you have tested your backups, you don’t know if they work. The only way to test your backups it to perform a full bare-metal server recovery, and to test that the recovered server works as intended.
I train my staff
Performing a recovery of a full system it a lot harder that restoring files. Your IT staff need to be familiar with the process. A ransomware attack is not the time to learn as you go.
If you selected NO for the first 2, your backups probably won’t help with ransomware
If you selected NO for any - your backup plan may not give the result you had hoped for
If you select YES to all – congratulations, your backups can save you from ransomware
Performing a test recovery will reveal possible issues including:
- If some of the backup are corrupted due to hardware or data transfer issues
- If the replacement drive fails to meet the requirements for a recovery
- That the process of replacing the current physical drive has no unexpected problems
- That the computer’s firmware supports the recovery process
- That you are familiar with any networking and connectivity requirements
7.0. Hitting pause – a quick review of what we’ve covered before looking at how to respond to a ransomware attack
A Business Continuity Plan
A Ransomware Response Plan
A Disaster Recovery Plan
8.0. Ransomware response resources – key products and tools to help you before and during a ransomware attack
8.1. Before an attack – ransomware detection and protection solutions
8.2. During an attack – ransomware identification and decryption solutions
Once you identify the ransomware, check if there’s a decryption solution available. Two useful resources, WatchPoint and nomoreransom.org, can help determine if there is a decryptor available for your strain of ransomware. There are also decryptors available from Avast, AVG, Kaspersky and Trend Micro.
8.3. Online resources
9.0. Ransomware Response Plan – What to do during a ransomware attack
As someone responsible for fixing the ransomware attack in an operational or IT capacity, the saving grace is that you have a plan, you’ve tested it, and you have backups ready to go. But what should be in your response plan?
In the previous section, we looked at the tools and technical resources that can be used during a ransomware response. In this section, we look at processes and decision points to consider when making a response plan.
9.1. For Small and Medium Business
9.2. Larger Businesses
Possible steps to add for larger organizations:
being able to recover a domain controller is critical as Maersk, the world’s largest shipping conglomerate, found out when it was hit by a cyberattack and all 150 of its domain controllers were wiped. They relied on the servers acting as fallbacks for each other, and the company was only saved when one remaining domain controller was found in the Ghana office, because there had been a power outage at the time of the cyberattack.
Due to the poor network connection, an employee at the Ghana office was flown to Nigeria with the domain controller’s drive, and then another employee flew with it to London – delivering the drive that the whole company needed to start the recovery process and allow 20% of global shipping to resume. Read the full amazing story.
On behalf of the BackupAssist Cyber Security team
Thanks for reading our ransomware guide.
Don’t wait, contact us now through firstname.lastname@example.org to request your one-on-one session with one of our Client Success team members.