If you have suffered a ransomware attack, click here to read our action guide to find out what you need to do.
If you are looking for guidance on how to reduce the risk of a ransomware attack, click here to read our best practices.
What is a ransomware attack?
Ransomware is any attack against a computer or network where the bad guys ask for any sort of compensation to release access to your computer and files.
The FBI considers ransomware a form of extortion because of the strategic targeting and high ransom demands. (Source: PDF Download)
There are two primary types of Ransomware attack
The first method is through a browser takeover. The user’s browser is compromised by a phishing email, infected attachment or compromised website. The ransomware takes control of the browser and shows a splash screen giving direction on who to call to “fix” your computer.
This gives the appearance that the entire computer has been compromised, when in reality it is just the browser that is infected. No files have been changed.
It was very common 5-6 years ago but didn’t gain the notoriety of recent attacks since it could be removed by most AV and anti-malware applications.
The second method is the fastest growing and is much more destructive.
Targeted System Ransomware
It uses the same attack vectors of phishing emails, infected attachments and compromised websites.
While the browser takeover was a “spray and pray” tactic where they wanted to infect as many people as possible, the new method is much more targeted. Instead of getting 10,000 people to pay $200 each to release a computer, they now take over a network and ask for millions to release the encryption key.
Since that can’t be done via a simple browser hijack, they have moved on to more complex attacks.
Now, after infecting a computer, the attackers don’t give away their presence right away. They install a back door on the compromised computer and try to pivot to a higher payoff target like a server or network attached storage. Once they have escalated their access, they will do things like whitelist their encryption tool in the anti-virus, disable shadow copies and break the backups. Their goal is to render the network unrecoverable by normal means, so the target is forced to pay the ransom.
The attackers learn from their failures and tweak the attacks to give them a better chance for success. The latest ransomware attacks take a copy of your files. If you don’t pay, your files will be released on public websites.
The FBI warns against paying the ransom because the money goes to fund criminal organizations, terrorists or just generally bad people. It also tags you as a good target because you are willing to pay to get your files back.
Like many things in life, the decision to pay or not is rarely that black and white.
For most companies it comes down to a business decision. How much do I stand to lose if I don’t pay? That’s a decision the FBI cannot make for you.
How can you get infected?
There has been no shortage of attacks against Microsoft Windows the last few years.
The most well know being the EternalBlue vulnerability that was used by WannaCry (2017). It is a vulnerability in SMBv1 that allows an infection to spread to other unpatched computers on the network.
It was one of the most damaging infections in history, even though the patch for the vulnerability was released 2 months prior to the attack.
Bluekeep is the latest attack. It is “wormable” attack against a flaw in the Remote Desktop protocol. This means they could be weaponized to launch malware that jumps automatically from PC to PC, spreading across the world without any action from the user.
Microsoft released a patch on 5.14.2019. It was reported that there are still over 800,000 unpatched systems exposed to the internet.
This is a fairly low complexity attack that will only gain in sophistication.
Phishing and spear-phishing
This has long been the most common method used to get behind a corporate firewall and for good reason…it still works.
There are a couple of common approaches. The most common is to play the numbers. Send out as many phishing emails as possible. There will always be a few who bite.
The growing method uses a focused approach.
Let’s say you work for a sales company. I send an email with a spreadsheet attached that has a macro that installs a reverse shell on your computer.
Of course, your users know not to open an attachment from a stranger and enable macros, right?
What if I send the same email to your top rep on the last day of the quarter? Then call that rep and say “I just sent you a spreadsheet of some items I need to purchase. I know it’s a big order, but I need to place it today.
Sorry about the macros, my IT guys created that spreadsheet for me. You’ll need to enable them to see the product numbers. How fast can we process this order?” How much did that improve my odds of infecting your computer?
Ransomware attacks are the most common type of attack. According to the Q1 McAfee report, they have grown 118% this year. (Source)
What to do if you are hit with ransomware?
After a compromise is not the time to figure out your next step. That plan needs to be put in place and rehearsed.
Without a written plan we all fall back to our most basic instincts. That instinct is often panic.
Stop the spread of the virus
The first step is to stop the spread of the virus.
That might mean removing a computer from the network or pulling the power from all your network switches. That’s not a step that can wait on a decision by committee. It needs to happen fast, and it needs to happen no matter who is on vacation that day.
Contact the FBI’s Internet Crime Complaint Center.
Next, contact the FBI’s Internet Crime Complaint Center.
The next step is discovery. You need to find out as much as you can about the infection. Can it be decrypted using available tools? Are your onsite/offsite backups intact?
While you’re at it, send a handful of encrypted files to the bad actors and make sure they can decrypt them. You can be sure they provided their contact info.
Sit down with the decision makers
Now it’s time to sit down with the decision makers and put together a plan. Just because you have backups and can restore, doesn’t mean it is the best approach. If it’s going to take 2 weeks to restore all servers or 2 days to pay the ransom and decrypt them, a hard decision needs to be made.
Be in control of the message
It’s also time to decide who will speak with the press. If you have more than a few employees, the word is going to get out. Be sure you are in control of that message.
(If all else fails) Start negotiating
If your data cannot be decrypted and your backups have been destroyed, it’s time to start negotiating. The bad guys don’t know much about the value of your data. They are just trying to squeeze as much money from you as they can. It’s up to you to set that value.
There are services that will help with the negotiations.
Talk with your attorney on lawsuit defence
Many companies do not realize that a ransomware attack can result in legal actions.
It’s important to be prepared for actions, to know when and how to inform clients and business associates and contractors if their information may have been compromised, etc. Cyber lawyers are who companies need to take advice from in these situations depending on what was ransomed and potentially copied.
We have a complete article on the cyber security legislation in both the USA and UK. They can be found here: Cyber Security Guide for USA Businesses | Cyber Security Guide for UK Businesses
How to avoid being a victim of a Ransomware attack
You can never be 100% hardened against an attack. As the saying goes, your defensive team has to get it right every single time, the bad guys only have to get it right once.
Here’s a good approach that will make you more secure than 99% of the targets out there.
Use defense in depth. There is no blinky box or security package that will keep your network secure. It takes many small things working together.
Your employees make up the largest part of your security team.
They need to know what to do if the see something that doesn’t seem right.
You cannot make your employees feel chastised for alerting you to a possible breach, even if they caused it. The alternative is for them to keep their mouth shut and you finding out the hard way your entire network is compromised instead of just that one computer.
Consider having all visitors check in.
This particular step will allow you to know who is in your office at all times and what particular time that they were on the premises. Requiring visitors to check in is fairly easy as all that needs to be done on behalf of the customer is showing their id and signing in. Upon gathering this information you can then restrict areas that you deem to be authorized for employee usage only rather than the general public.
Make sure that all of your software is updated on a regular basis and is considered to be up to date at all times.
This significantly reduces the risk of loss of valuable information and mining taking place. Updated software is not at all hard to find and chances are that your computer will automatically update this information when you grant permission for system wide updates to take place.
Make sure that you are disposing of technology and hardware in the proper ways.
Consider implementing a company wide strategy to securely destroy any piece of technology such as computers, printers, scanners, or fax machines that at one time held valuable and sensitive information that does not belong in the hands of others. While you may think that since the data has been deleted you are safe, that is most definitely not the case.
Information that was at one point removed can be accessed much easier than most people realize. It is easy enough to move files to the trash section of your computer, but that truly is not enough. It is best to physically destroy any traces of the equipment to make sure that the data is truly not accessible to any one.
While password security isn’t all you need to do, it is the first step. Why you may ask? It’s because 81% of data breached are caused by weak or stolen passwords.
Steps for creating and maintaining passwords
- Create a password policy – strong passwords with a requirement to change them frequently (60 – 90 days)
- Train your employees on the password policy
- Audit your password policy
The next step is to determine which data are the most sensitive to least sensitive. This simple classification can be helpful
Data security levels – sample case
- Red – the highest level of sensitivity – employee SSNs, client credit card information, financial data, etc.
- Yellow – business plans, marketing plans, client proposals, contracts, etc. (could be red depending on their importance to your business)
- Green – publically available information
Once you have classified your data, then you need a storage policy. One possible suggestion could be the following. Red-level data need to be on servers with limited access both internally and externally. This usually means stored locally. Yellow-level data can be stored in strongly protected cloud resources, such as Microsoft Sharepoint or Shared Drive. Green-level information can be stored on shared servers.
Hold end user security training
Partner with an MSP that has Phishing training. It will tell you which users are likely to click links and enter credentials so they can get further training.
Purchase a quality anti-virus with cloud control
You need to be alerted when your AV definitions aren’t up to date, or someone gets an infection.
Install a good firewall
The better ones will have IPS/IDS, sandboxing, web filtering and gateway Anti-virus.
This will look at the traffic between your users and the internet and protect them from harm.
There are about 400,000 new forms of malware that are created every day!
Most Anti-Virus software applications do not provide good ransomware protection.
They rely on the dated method of using signatures to identify malware instead of looking at the behavior of the potentially unwanted application to determine if it is doing malicious tasks. So it’s inevitable that it will miss-identify a malware application and allow it to install on to your PC.
In addition, in the event that your Anti-Virus (Anti-Malware) software does allow something malicious to go through, it needs to stop it before it encrypts your hard drive to prevent any data loss.
Use a DNS blackhole service
The better-known companies resolve millions of DNS queries per day and quickly discover the sites that are serving up malware, acting as Command and Control servers etc.
Protect against Living off the Land attacks
If an end user doesn’t use PowerShell to do their day to day job, why leave it enabled?
Take away local admin rights
Just like #5, it’s good practice to remove or disable anything a user doesn’t need to do their job. Local admin rights is one of those things.
If a user doesn’t have rights to install software, it makes it much harder for their computer to get infected.
Monitor the dark web for credential theft
An astounding 59% of users admit to reusing the same password on every website.
Those passwords are then used in Credential Stuffing attacks which allow hackers to try your username and password on hundreds of sites in a few minutes. How many of those sites have your credit card info saved?
Most people in the IT Security field would agree that the current system of logging in with a Username and Password is broken.
An easy fix is to use a second factor to authenticate. Whether it’s a PIN, FOB like a Yubikey or fingerprint, there needs to be a second way to prove you are who you say you are. Don’t buy in to all the hype about SIM swapping crippling the use of SMS as the second factor. Unless you have huge amounts of money in a cryptowallet, the chances of someone going to the trouble are quite small.
Don’t publicize your insurance coverage
You might laugh but I’ve seen businesses put it on their website landing page. If you advertise you have $3,000,000 in cyber coverage, guess how much the bad guys are going to ask for when you get ransomware?
The industry experts who contributed to this article.
Steven J.J. Weisman
Position: Founder of Scamicide
Steve is a nationally recognized expert in scams, identity theft and cybersecurity as well as a lawyer, college professor and prolific author.
In his informative speeches, articles and books Steve makes difficult subjects such as cybersecurity, scams and identity theft not only understandable, but enjoyable with the humor he brings to these complex issues.
Position: CEO of Digital Mom Talk
Chelsea Brown is the CEO of Digital Mom Talk and a Certified Cyber Security Consultant for businesses and families. She secures businesses and family homes through education, digital courses, coaching, private consultations and events. She has a Bachelor’s Degree in Computer Information Technology Emphasis in Networking and Cybersecurity, holds a CompTIA Security+ Certification and has 10 years working experience securing businesses and families homes.
Position: CEO of ProStrategix Consulting
Position: Canadian Risk Manager at Marcilall.com