How not to get ransomware
Ransomware is a particularly malicious and scary form of malware. Just about anyone can understand it well enough to be terrified of it. Without warning, you will have a choice: come up with a lot of cash quickly or see your business disappear.
What is ransomware? After gaining access to your computers, the attacker runs software on it that encrypts all the data and deletes unencrypted copies. You get a ransom note that tells you to pay a certain amount in a cryptocurrency, after which you will receive a key and software to use to unencrypt the data.
The criminal gangs behind many of these attacks have adopted advanced technology, including artificial intelligence. This improves the sophistication of their attacks, greatly increasing the chances of their success in getting a foothold in the victim’s network.
Ransomware and the SMB
For a small or medium-size company, ransomware can mean a genuine end of your business. According to Forrester Research, the average ransomware incident lasts 7.3 days. During that time (remember, it’s just an average), you likely will not have access to your data nor your computers. Even if you are able to recover your systems and data, can you survive 7.3 days of that? Equally, can your business afford the ransom payment?
SMBs typically don’t have IT resources as sophisticated as those of enterprises. To prevent an existential threat like ransomware, you’ll probably need to step up your IT game. This article explains, in general terms, how to do that.
From a purely technical standpoint, ransomware is just another kind of malware, a malicious program that has been allowed to run on your systems with privileges sufficient to cause damage. That damage—the encryption of your files—is what makes it different, but once the attacker has the privileges to do that, you’re not in much of a position to protect yourself.
How do attackers gain the privileges they need to take your data hostage? Through a variety of techniques that are old and well understood.
How do you prevent the attacker from gaining privileges? The answer is a familiar litany of best practices you need to follow and insist all users observe.
All the usual attacks
Ransomware often gains a foothold in systems through the exploitation of unpatched software vulnerabilities. On May 12, 2017, there was a major, worldwide ransomware attack called WannaCry. The attack software exploited vulnerabilities in an old and deprecated version of the Windows Server Message Block (SMB) protocol, used for file sharing across networks. Microsoft had provided patches for the vulnerabilities in advance of the attacks, and best practice had long dictated removing support for the deprecated SMB v1 protocol from one’s systems. But enough users did not apply the patches or were running versions of Windows that were past their end-of-life dates that there were “over 200,000 victims in at least 150 countries," according to one report.
This may be a propitious time to remind users that Jan. 14, 2020, will be the last Patch Tuesday on which Microsoft will release updates, even critical security updates, for Windows 7 and Windows Server 2008 to the general public. Those Volume Licensing customers (not likely SMBs) willing to pay handsomely for them can still get updates but not forever, and the cost will increase each year.
A recent report stated that the biggest method of ransomware exploitation is credential stuffing of accounts with weak passwords. With credential stuffing, attackers take an email address as a presumed username and attempt to log into a service with a series of weak and common passwords (e.g., “passw0rd” or maybe the person’s birthday or spouse’s or children’s names). This is one way to gain a foothold in the network from which to commence the attack.
The other common technique is phishing, in which a fake email is sent to members of an organization. It is designed to look like it comes from someone recipients should listen to, like tech support. It may have a payload, which is a program attached or downloaded via a link in the email that gives the attacker access to your organization’s computers. It may just ask the user to log in and steal the username and password as the user types it.
The more sophisticated, but less common, version of this attack is called spear phishing, in which the attacker personalizes the message to a specific target. It’s not that hard to do. Some research on sites like LinkedIn might tell the attacker who holds positions in IT. If non-technical users receive an email that looks like it is from one of those IT staff members, they might be inclined to read it and listen to it. If the email said IT is investigating a problem and users should click a link to download a diagnostic program and run it, they might do that.
Once the attacker has logon credentials or has executed malware on your systems, it’s not exactly game over, but the hard part is probably done. Now that the attackers have a foothold in your network, they can explore it and find the critical assets to encrypt—i.e., “take hostage.” Through a variety of techniques, they can “move laterally” between different parts of the network, finding new assets and gaining new permissions until it is time to run the programs that encrypt data and delete the unencrypted copies.
One last popular avenue of ransomware attack is through port 3389 in Windows, known variously as Terminal Server, Terminal Services, Remote Desktop Services, Remote Desktop Protocol (RDP, the name of the port), and many similar names. It provides a remote terminal interface to Windows and is popular for remote administration. Windows has left this port closed by default, but it is such a convenience that many users and administrators open it up. Linux-based services like SSH, poorly configured, are also an open door for attackers.
Researchers familiar with the field say that once the attackers have that foothold in the network, it only takes a couple of hours for them to move laterally to a more privileged position from which they can do real damage. This means that it is imperative that you stop the attackers before they get in. A variety of tried-and-true techniques can accomplish that.
All the usual defenses
Vulnerability opportunities like the one exploited by WannaCry don’t come along all that often, but when they do, they are especially scary because they attack masses of users at once. Patching and major system updates (such as moving from Windows 7 to Windows 10) are delayed in many organizations because they are resisted internally. Ransomware is just one of the exhibits demonstrating the folly of this attitude.
Patches are also delayed because of QA testing required for system changes. Testing is, of course, a wise thing to do, but if it delays deployment for more than a short period, it can become counterproductive. Microsoft and other major vendors changed patches to a regular schedule so customers can plan and be ready for testing and deployment. Take advantage of that schedule to test and deploy promptly.
Two-factor authentication is one of the most important defenses you can deploy against ransomware and a host of other attacks. It’s not a defense, at least not a general one, against vulnerability-based attacks such as the one that enabled WannaCry, but it addresses nearly all the others. Stories of recent breaches—such as that of a Chicago-based brokerage, the 2018 attack on the city of Atlanta, and every credential stuffing and spear-phishing attack—reveal scenarios that would have been blocked had the organization used two-factor authentication.
Many small businesses are also targets of ransomware, with the healthcare industry a particular target. Brookside ENT, a two-physician practice in Battle Creek, Michigan, was put out of business by a ransomware attack. For a long list of healthcare organizations hit by ransomware (and other attacks, as well as breaches unrelated to attack), see the so-called Wall of Shame database maintained by the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights.
Even weak two-factor schemes like emails or text messages are much better than nothing, but the best technology is becoming very affordable. Some of the most important products and standards are managed by the FIDO Alliance.
A good two-factor implementation doesn’t eliminate the need for a good password policy. In the spirit of defense in depth, there’s no reason to make it easy for attackers, and a good password policy makes it hard for them. We discussed current best practices in passwords in a recent article, but the highlights are that you should require passwords to be strong and unique and check them against public lists of common and breached passwords. Providing password managers for your users makes all of this easier for your users to execute.
As a general rule, follow the principle of least privilege, meaning a set of credentials anywhere in the network should avail the user of the privileges they need and no more. Use administrator accounts as little as possible. There are privilege management tools, like those from CyberArk, that allow you to approach this task in an organized manner, but you can do a lot even without them. At the very least, remove local administrator accounts from systems as a matter of policy. Adherence to role-based access control also facilitates a good least-privilege policy.
There are many approaches to protecting against attacks through RDP and other terminal interfaces, including proper firewall configuration and changing the port number from the default, but mostly leaving the service disabled and the port blocked unless necessary for a legitimate purpose.
Other important security measures you should take include:
- Always stay on top of patch management. Victims of WannaCry weren't, and it hurt them badly.
- Keep anti-malware solutions up to date, and think about next-generation solutions that focus on behavior, as a complementary or even alternative technology to traditional antivirus products.
- Keep asset management solutions up to date. There is nothing worse than having to do a massive cleanup and not knowing what you own.
- Log everything, and make sure you have people and process in place to monitor the logs.
- Make sure the network is sufficiently segmented to avoid rapid spreading of malware infection.
- Adopt a security framework. These are established sets of standards, guidelines, and best practices to manage security risk. NIST provides a well-regarded one, but which is best for you depends on your industry, country, and other factors.
- Provide your employees with security awareness training. Help them to help slow down phishing and other attacks. Nobody wants to be the employee who made the critical mistake.
A note about backup
You already know, because everyone knows, that you need to take backups seriously. The threat of ransomware means you need to take more sophisticated backup plans seriously. A capable attacker will attempt to wipe or encrypt your backups. It is important that you keep backups where the attacker cannot get to them.
In the event of an attack, your incident response personnel will want to rebuild systems from images that are known to be good and as patched as possible. After these are built and any configurations performed, the data can be restored from backup. The best products are designed to facilitate the kind of quick recovery you need in these cases.
Best practice is to follow the 3-2-1 rule of data protection: Have three copies of your data, store two copies on different storage media, and keep one of them off-site. Having backups off-site, or at least offline, is the most important measure you can take to ensure you can recover. Learn from the example of Wood Ranch Medical, a clinic in Simi Valley, California, whose only backups were on attached hard drives that were encrypted by ransomware. The damage was so severe that it had to permanently shut down.
Drill, drill, drill
Big companies that put money into preparing incident response schedule practice drills. You don’t really know that all your plans and backups will work if you don’t practice them. Having such a practice session under your belt will be of enormous assistance if you have an actual incident, and you will likely learn valuable things about your operation from it.
We would be remiss not to mention the importance of cybersecurity insurance, which has to be considered an important part of any overall security plan. Cybersecurity insurance is a relatively new, highly competitive business. The market is largely focused on larger businesses, but policies are available for smaller organizations and at least worthy of consideration.
In another recent article, we explored the general need for cybersecurity insurance and innovations in the business that create incentives in organizations to improve security.
You can’t outsource all your responsibilities
Outsourcing IT responsibilities, including security responsibilities, is common among SMBs. Even in larger companies it’s common, and not unreasonable, for management to say, “This security stuff is too complicated. I’d rather just pay you guys to do it.”
This approach is sensible to a point, but you can never completely eliminate your own responsibility for your own security. While you can outsource your operations, you can’t outsource your organizational risk.
But you can also be compromised by your managed service provider becoming compromised. There are certainly MSPs that apply best practices with rigor and thereby are not under serious threat of ransomware attack. But there are less diligent MSPs, and they are high-value targets for ransomware attackers. This is not to say that you shouldn’t trust MSPs, but rather that you should scrutinize their policies and reputation.
If you get hit by ransomware, you will have a choice to make quickly: whether to come up with a lot of cash on the spot or quickly throw IT resources at the problem sufficiently to recover from the attack without the attacker’s assistance. To complicate the situation, you can’t really be sure that you will get your data back. The infamous NetPetya demanded ransom but also wiped many files so they could not be recovered. It’s a bad idea to think of paying the ransom as a reasonable fallback position.
It is possible to resist the attack. Consider the ransomware attack against the government of New Bedford, Massachusetts, in July 2019. Alert staff detected the attack before it completed and took quick measures to stop it. They were able to recover all affected systems, and many that could have been affected weren’t. Clearly, New Bedford was prepared for this sort of incident, and it bought time for its staff by negotiating with the attackers. News stories and social media heaped praise on the city.
Small businesses can survive as well. As described in the HHS database, a hacker penetrated the network and systems of Longs Peak Family Practice in Colorado and used ransomware to encrypted some files. They were able to remove the infection and restore the missing data from backups. As is common in these situations, they followed up by changing IT providers and adding many new security controls.
Implementing secure practices such as these requires a trained security professional, if not on your staff then from outside expertise (such as HPE Pointnext Services). Very few SMBs have this sort of expertise in-house.
A successful response to a successful ransomware attack probably involves throwing money at the problem very quickly, either as ransom or in tearing down and rebuilding your systems in a short period of time—during which your actual business will certainly be impeded. It is far better to maintain a high level of security and have backups in place to prevent any attack from getting a foothold or, if it does, spreading.
Simon Leech, CISSP-ISSAP, CCSK, CISM, CRISC, contributed to this article. He works in the Security and Risk Management Practice, Advisory and Professional Services, at HPE Pointnext Services.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.