Surviving a Ransomware Attack
As per Google, it’s estimated that last year cybercrime victims paid out around $24 million to hackers deploying ransomware and it has increased to over $1 billion in this year. Therefore I’m sure you have heard enough about ransomware/crypto attacks to know that it’s fast becoming one of the biggest cyber threats to both individuals and businesses.
It’s a type of malware that will either lock access to or encrypt your files, demand a ransom be paid, usually in bitcoins to make it difficult to trace, in exchange for the promise of restoring access to your files.
In many cases you can’t guarantee normal access to the files even after you pay the ransom. Most modern ransomware perform extra functions to hamper the recovery of data by encrypting the shadow copies used for system restore points, or even deleting them. Some crypto’s lurk in the background for weeks or months without being caught so that even the backups are encrypted. If the crypto is specifically targeted to your business then the hackers would be exploiting every possible vulnerability to make sure the company has no other options but to pay the ransom. Typically ransomware displays a time-limit on the screen and going over the deadline means that the ransom will increase or worse that the data will be destroyed and lost forever, to add yet another level of psychological stress to an already difficult situation. To make matters worse, even after you pay the ransom on time there is no guarantee that you will receive the decryption key or that the decryption stage will complete successfully. Most of the time this is a no win situation and could lead to higher costs and losses for individuals and businesses.
In order to prevent or better survive one of these attacks, companies should develop plans of action for each of the different stages of a crypto attack.
Pre attack stage
Backups and more backups – Having multiple versions of offline backups can sometimes be the only solution to recovering files from a ransomware attack. However, nowadays cryptos are becoming so cleverly scripted that they can be hiding in the OS for an extended period of time that all the backup files could be encrypted as well. One method to lessen the effects of this is to have a long term offline archival scheme in addition to normal backups.
It’s a good practice to have dedicated backup software that takes regular backups of your important data and storing them in off-line backup archives and in different locations. When restoring from a backup, files should first be scanned for malware and cleaned up. Regular testing of recovery from backups help organisations to identify and rectify issues that could make it difficult to recover from backups. This involves planning and implementing robust business continuity and disaster recovery plans for your data.
User education and awareness training – Constant education to be cyber aware, help users to identify phishing and spear-phishing attacks. One of the most common ways for these malware to spread is through spam email campaigns and SMS specifically targeting users. Humans most often being the weakest link in a security system. It is easy for a clever hacker to exploit a human vulnerability. By having regular training and creating a cyber aware culture helps business users to be vigilant. Investing in IT security for the organisation is a key factor. Most businesses leave cyber security to IT teams but do not consider investing money or providing the right training to the IT staff to correctly identify and configure the IT infrastructure to prevent cyber attacks.
Access control – Understanding and implementing access control mechanisms to define permissions, rights and privileges to users and systems will allow you to control who can access specific objects in the environment. Organisations are advised to implement access controls in multiple layers that provide layered security to their protected assets. This would include physical access controls, logical controls and administrative controls.
Monitoring for Insider threats – with the advent of BYOD (bring your own device) in the workplace together with often lax controls around this, the likelihood of insider attacks have hugely increased for organisations. Insider threats take many forms and it can be difficult to identify an attack immediately if not constantly monitored.
While there are many ways of managing insider threats, having certain software that can monitor networks for suspicious user activities can help with detecting malware before it spreads. They can be configured to detect and stop ransomware or any kind of malware from infecting systems.
Users should by default be blocked from plugging in devices such and mobile phones, USB sticks and CD/DVDs to the systems. Monitoring should be in place to detect any infected devices connecting to the network.
Controlling and managing the application installations on systems and blocking access to certain websites and only allowing outgoing browser traffic via a proxy server can help stop users browsing to infected sites that speared malware or disable the malware’s command and control mechanism.
Email virus scanners and spam filters as well as Web Applications Firewalls (WAF) can stop most of the malware spreading when configured correctly. It offers security in a way of not just blocking ports but actually inspecting packets to look for correct requests coming from correct hosts to protect the organisation.
A WAF is an ideal solution for you if you have vulnerable services or poorly coded sites that do not validate input data or are running at high risk. This will benefit any organisation that has mission critical applications that hold critical data.
Run patched software and up-to-date antivirus on all systems - there’s no point having the newest software running in the infrastructure if you are not keeping up with applying the software patches that fix vulnerabilities in them.
Regular vulnerability scanning - In order to maintain a good security posture, businesses need to continuously assess and improve their security measures. A vulnerability assessment is a low cost process that defines, identifies and classifies a wide range of vulnerabilities in a constantly changing environment. By carrying out regular vulnerability assessments organisations can ensure that they have identified and fixed the known vulnerabilities that could have been exploited to inject malware into their systems.
Implement SILO solutions - A silo is a sandbox solution running behind its own zoned off area delimited by a web application firewall (WAF). This allows organisations to secure mission critical information and applications. It also allows vulnerable legacy applications and environments that are simply too complex or costly to re-engineer to continue to run in a way that does not impact the security of the rest of the infrastructure.
Cyber Insurance – A type of cyber liability policy that covers businesses against ransomware. They are usually called cyber extortion coverage and can help businesses cover the ransom money, related expenses and costs of repair. There are usually very specific requirements and processes needing put in place when signing up for such a policy.
Post attack- are you going to pay the RANSOM?
It’s very difficult to answer this question as it depends on each situation. There is no guarantee that data can be fully recovered after the ransom is paid. However there are many things that you can try before deciding to pay.
Isolation - First things first, the moment you realise you have malware in your device it should be isolated from the network to stop the malware spreading to other devices.
The type of Crypto – It is important to identify the type of malware. There are various decryption tools out there to identify and try recover the data. Make sure you obtain the latest versions as decryptors could become out-dated as newer more sophisticated forms of malware are released by cyber criminals.
By Identifying where the attack came from – helps to stop reinfection and spreading to other devices in the network. Fix the vulnerabilities and make sure the right actions are taken to clean up the malware.
Make sure the backups are safe - one of the most important tasks should be to make sure the backup is not infected. Scan for any malware thoroughly.
This being a never-ending battle, it’s a constant game of catch up between malware authors and security researchers. Focusing on prevention is proved to be the best solution for any cyber attack. Especially for ransomware and should the worst happen, take the time to conduct a lessons learnt exercise afterwards to understand what happened and update your prevention strategies accordingly.
At Meta Defence Labs we are offering a“no crack no fee” service for Ransomware. It's simple, we won't charge you a fee if we cant fix it. We will take a look at the files to see if we could reverse engineer or provide consultancy to help clear an infected environment. Our services can also help you identify the weak points in your network, and harden security in your environment.
Call us for more details on 0203 222 4060
or email us on: firstname.lastname@example.org