What you can do about ransomware

/

When non-technical people ask what I do, I usually say “I run a cybersecurity research lab and incubator.  Over the last 4 years we’ve solved hard problems like adding trust to the Internet, giving consumers control over what happens with their data and accounts, making cloud data worthless if stolen, stopping ransomware in its tracks, and detecting fake pictures online.  Now we’re working on things like protecting databases from being changed and protecting software from embedded malware”.

Not a week goes by without someone responding “Ransomware?  What should I do about Ransomware?”  For those lucky enough to have avoided this worry, ransomware is a type of computer attack in which extortionists encrypt the data on your computer, demanding payment to return access to your own files.  Many attacks are combined with a threat to make sensitive data public if payment isn’t received.

My stock answer is a list of controls, starting with “make frequent backups and test them”.  For those who want to do more, I rattle off a list based on their company’s technology maturity.

Having done this frequently, I thought it time to capture my “best practices for preventing ransomware” list.  These are a list of good, better, and best cumulative controls that companies can check themselves against…all of which have a role to play in preventing an initial attack, minimizing impact, and recovering from damage done.  Many help with other types of cyber attacks, even though the focus here is ransomware.    I know that others will have tools and techniques they favor or may prioritize things differently; this list is my opinion of how I view the controls landscape at this moment in time.  I’m publishing it to offer one person’s plain English guidance to those worried that they might not be doing enough (with tech details and keywords in parenthesis in case you want to learn more).  Finally, I will caution that just because a tool is implemented doesn’t mean it’s working well, and that no system will stop all threats. 

I hope this gives comfort to those who have a solid set of defenses and ideas to everyone else. 

 

Best practices for preventing and mitigating ransomware attacks

 

Identify

Good

  • Create and update an inventory of critical systems and services to monitor

Better

  • Discover newly added internal systems and services, alert if unexpected

  • Discover newly added cloud systems and services, alert if unexpected

Best

  • Discover sensitive data both internally (servers, desktop files, etc) and in cloud storage, alert if unexpected

 

Prevent

Good

  • Tools and services that block malicious links in emails (web proxies, URL link protection)

  • Significant patches applied in a timely manner based on system criticality and connectivity to other systems (“criticality” is defined as providing critical functions or holding sensitive or important data)

  • Checking and enforcing passwords for minimum complexity

  • Two Factor Authentication (2FA or MFA) when logging into high-risk or Internet facing systems and applications, including those hosted in the cloud.

  • Vulnerability management- monthly scans to discover and remediate material vulnerabilities on both internal and external facing systems (prioritized by vulnerability “CVSS” score and system criticality)

Better

  • Regular (e.g. annual) training of users on best-practice security behaviors

  • Internal firewalls to limit connectivity between systems with similar functions like desktops (east-west firewalls) and systems with different functions (north-south firewalls)

  • Only granting users and software the minimum permissions necessary to operate (least privileged policy)

  • 3rd party penetration tests and internal “red team” attempts to exploit vulnerabilities

Best

  • Threat actor capability modeling (e.g. ATT&CK framework), mapped against defenses

  • User awareness testing (e.g. internal phishing campaigns, USB drop tests)

Detect

Good

  • Logging and logfile monitoring and alerting for unexpected behavior

  • Monitoring and replacing end of life hardware and software (inventory lifecycle management)

  • Signature based antivirus/malware scans of servers, desktops, and mobile

Better

  • Behavior monitoring and analytics of both users and software/services, with alerting

Best

  • Security Operations Center (SOC), monitoring for incidents

 

Respond

Good

  • Alerting and blocking data movement (exfiltration) based on volume and destination (Data Loss Prevention)

Better

  • Predefined policies and run books, describing actions for different types of incidents. These must be printed or on a system not connected to your network so they can be accessed when systems are compromised

Best

  • Data classification, with alerting and blocking unauthorized movement of sensitive data across internal and external boundaries (Data Loss Prevention)

  • Automated scripts that implement predefined runbooks in response to incidents

  • Tools to rapidly isolate or quarantine suspect systems

  • Tools to throttle CPU, network, and storage bandwidth on suspect systems

  • Pre-built tools to partition networks, limiting the spread of potential infections (submarine doors)

Recover

Good

  • Daily or continuous backups of all critical systems, regularly tested

  • Pre-defined breach notification plan

  • Pre-identified forensic capabilities, using internal resources or external vendors

Better

  • Cyber insurance

Best

  • Regular scans of the “dark net” looking for stolen data

 

What if you’ve become a victim already?

Maybe you implemented controls, maybe some were lacking.  Once you are a victim, here’s what I’d recommend

Do

  • Immediately remove suspect systems from your network so the infection can’t spread

  • If you see lots of disk drive activity, or believe that files are still being encrypted, power the system off as quickly as possible.

  • Test your backups, if you have them.  This will let you know if you have the ability to recover.

  • Engage a cybersecurity forensics team (if you have cyber or business interruption insurance and don’t have the skill in-house, your insurance company may have recommendations).

  • Check legitimate ransomware decryption sites (e.g. https://nomoreransom.org ) to see if your files can be recovered.  Your antivirus vendor may be able to help as well.

  • Have the forensics team determine how they got in and remediate vulnerabilities.  Also have them scan for other infected systems.  A best practice is to wipe or replace as much of your compromised network gear and systems as possible.

Don’t

  • Assume the bad actors only compromised the systems you know they were on.  Unless you are certain a system wasn’t compromised, assume it was.

  • Assume that if you pay a ransom you will get your files back.  You might, but you are trusting people who just held you hostage.  You might also encourage future extortion if you pay.

  • Download ransomware removal or decryption tools from untrusted sources.  You don’t want to make things worse.

  • Hire a company that claims they will crack the encryption unless you know they are legitimate.  Some companies that charge to do this actually pay the ransom and pocket the difference.