A matter of survival

April 2017

Log bridgeChani Simms MBCS, IT Specialist & Co-founder of Meta Defence Labs, discusses how organisations can improve their chances of surviving a ransomware attack.

I’m sure you think you’ve heard enough about ransomware/crypto attacks but do you know that it’s fast becoming one of the biggest cyber threats to both individuals and businesses. It’s a type of malware that will either lock access to or encrypt your files, demand a ransom be paid, usually in bitcoins to make it difficult to trace, in exchange for the promise of restoring access to your files.

In many cases you can’t guarantee normal access to the files even after you pay the ransom. Most modern ransomware perform extra functions to hamper the recovery of data by encrypting the shadow copies used for system restore points, or even deleting them. Some crypto’s lurk in the background for weeks or months without being caught so that even the backups are encrypted.

If the crypto is specifically targeted to your business, then the hackers would be exploiting every possible vulnerability to make sure the company has no other options but to pay the ransom.

Typically, ransomware displays a time-limit on the screen and going over the deadline means that the ransom will increase or worse that the data will be destroyed and lost forever, to add yet another level of psychological stress to an already difficult situation.

To make matters worse, even after you pay the ransom on time there is no guarantee that you will receive the decryption key or that the decryption stage will complete successfully. Most of the time this is a no win situation and could lead to higher costs and losses for individuals and businesses. In order to prevent or better survive one of these attacks, companies should develop plans of action for each of the different stages of a crypto attack.

Pre attack stage: Backups and more backups

Having multiple versions of offline backups can sometimes be the only solution to recovering files from a ransomware attack. However, nowadays cryptos are becoming so cleverly scripted that they can be hiding in the OS for an extended period of time that all the backup files could be encrypted as well.

One method to lessen the effects of this is to have a long term offline archival scheme in addition to normal backups.

It’s a good practice to have dedicated backup software that takes regular backups of your important data and store them in offline backup archives and in different locations. When restoring from a backup, files should first be scanned for malware and cleaned up.

Regular testing of recovery from backups help organisations to identify and rectify issues that could make it difficult to recover from backups. This involves planning and implementing robust business continuity and disaster recovery plans for your data.

User education and awareness training

Training will provide constant education for users to be more cyber aware and to help them to identify phishing and spear-phishing attacks. One of the most common ways for these malware to spread is through spam email campaigns and SMS specifically targeting users, humans most often being the weakest link in a security system. It is easy for a clever hacker to exploit a human vulnerability.

Having regular training and creating a cyber aware culture helps business users to be vigilant. Investing in IT security for the organisation is a key factor. Most businesses leave cyber security to IT teams but do not consider investing money or providing the right training to the IT staff to correctly identify and configure the IT infrastructure to prevent cyber attacks.

Access control

Understanding and implementing access control mechanisms to define permissions, rights and privileges to users and systems will allow you to control who can access specific objects in the environment. Organisations are advised to implement access controls in multiple layers that provide layered security to their protected assets. This would include physical access controls, logical controls and administrative controls.

Monitoring for insider threats

With the advent of BYOD (bring your own device) in the workplace together with often lax controls around this, the likelihood of insider attacks has hugely increased for organisations. Insider threats take many forms and it can be difficult to identify an attack immediately if not constantly monitored.

While there are many ways of managing insider threats, having certain software that can monitor networks for suspicious user activities can help with detecting malware before it spreads.

They can be configured to detect and stop ransomware or any kind of malware from infecting systems. Users should, by default, be blocked from plugging in devices such as mobile phones, USB sticks and CD/DVDs to the systems. Monitoring should be in place to detect any infected devices connecting to the network. 

Controlling and managing the application installations on systems and blocking access to certain websites, and only allowing outgoing browser traffic via a proxy server can help stop users browsing to infected sites that encourage speared malware, or disable the malware’s command and control mechanism.

Email virus scanners and spam filters

As well as web applications, firewalls can stop most of the malware spreading when configured correctly.

Run patched software and up-to-date antivirus on all systems

There’s no point having the newest software running in the infrastructure if you are not keeping up with applying the software patches that fix vulnerabilities in them.

Regular vulnerability scanning

In order to maintain a good security posture, businesses need to continuously assess and improve their security measures. A vulnerability assessment is a low cost process that defines, identifies and classifies a wide range of vulnerabilities in a constantly changing environment. By carrying out regular vulnerability assessments organisations can ensure that they have identified and fixed the known vulnerabilities that could have been exploited to inject malware into their systems.

Implement SILO solutions

A silo is a sandbox solution running behind its own zoned off area delimited by a web application firewall (WAF). This allows organisations to secure mission critical information and applications. It also allows vulnerable legacy applications and environments that are simply too complex or costly to re-engineer to continue to run in a way that does not impact the security of the rest of the infrastructure.

Cyber insurance

A type of cyber liability policy that covers businesses against ransomware. They are usually called cyber extortion coverage and can help businesses cover the ransom money, related expenses and costs of repair. There are usually very specific requirements and processes needing to be put in place when signing up for such a policy.

Post attack - are you going to pay the ransom?

It’s very difficult to answer this question as it depends on each situation. There is no guarantee that data can be fully recovered after the ransom is paid. However, there are many things that you can try before deciding to pay.

Isolation

First things first, the moment you realise you have malware in your device it should be isolated from the network to stop the malware spreading to other devices.

The type of crypto

It is important to identify the type of malware. There are various decryption tools out there to identify and try recover the data. Make sure you obtain the latest versions as decryptors could become out-dated as newer more sophisticated forms of malware are released by cyber criminals.

Identifying the origin of attack

This helps to stop reinfection and spreading to other devices in the network. Fix the vulnerabilities and make sure the right actions are taken to clean up the malware.

Make sure the backups are safe

One of the most important tasks should be to make sure the backup is not infected. Scan for any malware thoroughly.

Future prevention

This being a never-ending battle, it’s a constant game of catch up between malware authors and security researchers. Focusing on prevention is proved to be the best solution for any cyber attack, especially for ransomware and should the worst happen, take the time to conduct a lessons learnt exercise afterwards to understand what happened and update your prevention strategies accordingly.

Image: iStock/Everste

There are no comments on this item

Leave Comment

Post a comment