How to survive ransomware attack?
It is not often we hear about global ransomware attack, but that is exactly what happened last week. If you are subscriber, then you received a quick update of what has happened. This is more in depth write up explaining what the ransomware is, how it spreads and how to defend against it.
Most people reading this have heard of WannaCry, the ransomware attack that is all over the news. As one of the biggest ransomware attacks, its scale is massive. It has infected over 200,000 devices in 150 countries, with possibly several more to come.
What is Ransomware?
Ransomware has been around for years. It is a form of malware that has lived over the last decade or so, but taken on a visibly adverse form in the past several of years. It operates by encrypting ﬁles on the infected workstation and then charging a bitcoin ransom in return for the decryption key. Attacks can exploit a broad spectrum of vulnerabilities—although phishing is possibly the most common— enticing a user to click on an innocent-looking email attachment, which then drops a payload on the computer.
How dangerous is it?
According to the Citrix, 94% of security breaches are related to espionage or financially motivated. With the proper motivation, we can expect to see not only more attacks, but also a lot more sophisticated attacks. In March 2017 during the Pwnt0Own hacking contest, Chaitin Security Research Lab has shown a chain of six zero-day exploits (www.zerodayinitiative.com). They won $35,000 for this successful presentation. According to the FBI, ransomware CryptoWall generated over $18m in revenue in 2015 alone.
WannaCry is not a zero-day attack – the security patch from Microsoft has been available since March 2017. None of the techniques is new or innovative. The $300 ransom was very low for the destruction it has caused, and recovery of data is a fully manual process. It clearly shows that WannaCry was not designed to scale. Great blog post (as usual) explaining reverse engineering of WannaCry with DNS IPs, Tor exit nodes and Tor C2s can be found at Cisco’s Talos team blog.
WannaCry accidentally left behind a hole that allowed one of the security researchers to activate the kill-switch that prevented it from spreading quickly – you can read it in detail at MalwareTech, where the tech explains how he picked up unregistered malware control server (C2) domains. Since then, new variants have been seen – v2 included the same kill switch and was immediately stopped by different security researcher and v3 includes a corrupted archive that prevents it from encrypting the files.
The impact of WannaCry could be catastrophic if released by the more professional group. When experts start using the real zero-day exploits, we might not be so lucky.
How to protect from ransomware?
Sadly, existing anti-malware solutions cannot detect and stop new ransomware. The quick-moving malware underground ensures that anti-malware vendors are always playing catch-up.
Educating users how to identify possible payloads and avoid them would seem to be the best approach against ransomware. While this can be effective, in reality, ransomware creators have to bypass a defence just once, and they always change tactics to do so. Even the best prepared amongst us can be deceived at some point.
WannaCry has focused on the Windows OS vulnerability and the importance of keeping systems updated. After infecting the first machine, it exploits a vulnerability in SMB protocol (EternalBlue exploit, recent ShadowBroker leak of NSA exploits) to quickly spread to all computers on the local network and internet. Following infection, ransomware encrypts all data and installs the DoublePulsar backdoor for remote control. The ransom note is then displayed. While having Windows up to date is certainly necessary, it cannot be a 100 percent defence against new ransomware that takes advantage of zero-day vulnerabilities that are yet unprotected.
So what can you do beyond keeping up to date with latest OS updates and security patches? From experience, the best defence against ransomware is a data backup. A clean backup of an organisation’s data can protect them, even if their other ransomware defences fail.
Invest in reliable backup software that can backup all endpoints. Look for something that can handle Windows and Mac computers. To make the solution more bulletproof, consider storing backups on the cloud. It will separate the potential ransomware attack and the copy of your data. Having a cloud-agnostic solution, that doesn’t tie you down to its cloud is always a good idea. You should be able to shop around for the best cloud storage prices and have the software work with the cloud of your choice. Ensure the backup payload being sent to the cloud is encrypted—using encryption keys you control. After all, this is valuable data that you’re spending real money protecting, so you need to make sure it is safe from snooping eyes. If you’re managing many endpoints, you’ll want to be sure to look for a solution that can be centrally managed via policies and can scale over all endpoints. It should allow users to do their restores. You’ll also want to look for some integration with the user namespace you’ve implemented, like Active Directory. Since the outbound network bandwidth can be at a premium, you need to look for software that can deliver incremental backups, resume a failed backup from the point of failure, be resource-sensitive and use methods like compression and de-duplication to save network bandwidth and storage space.
Also, it should allow you to manage data retentions by file versions so that you can get back data from a previous day or even a past week.
Ransomware is a nasty. It is antagonising to see all your documents and photos encrypted, being faced with uncertain pay or no pay dilemma and not to have any back up whatsoever, so please, do yourself a favour – do a backup today.