| by Shawn D. Stewart | No comments

Ransomware Survival

OR, How I Learned To Stop Worrying and Love the Tape

Part 1 – Intro and Prep

Ransomware is probably the scariest and most disruptive thing an organization can face short of an IRS audit.  Though you would be better off with the audit, as the typical ransom to release data is $233,000, not including downtime, lost production, and repair costs.  One company reportedly paid $10 million!

What is ransomware?  This malicious software arrives either as an email attachment or weasels its way onto your computer when you point your browser to places it shouldn’t go.  The program encrypts every important file on your computer, not just documents and spreadsheets but accounting, backups, Customer Resource Management, everything!  It then calls home to a hacker, who, depending on your company name and prestige, will demand payment.

The bad news is you have two choices; pay the ransom or restore your data from backups.  Even then, backups aren’t guaranteed. One recent victim found out the hard way that unless you periodically validate data restoration, backups can be worthless, leaving your only to pay the ransom.  There are no public declarations of successfully decrypting the latest ransomware.  Before you plop your head in the sand or wet yourself in fear, here are the steps to take to protect yourself before, during, and after an attack.

Before the Attack

Back It Up! – Go and verify your backups are working.  Right now!  I’ll wait.  How do you know they work?  Have you restored them?  Do you have an offsite copy that can’t be encrypted over the network or in the Cloud?  Ask anyone hit with ransomware and they will tell you the Cloud data was encrypted just like the local data.  If you have no other IT priority in your business, whether you are sole proprietor or a Fortune 50 company, verify your backups regularly!!! Be mindful that if you use online or cloud backups, those will be encrypted as soon as replication occurs.

Insurance – You may not know, but most agencies provide cybersecurity insurance that can mitigate an attack.  Some issuers reimburse for loss while others handle ransom negotiations and work to recover your systems.  Speak with your insurance provider for the best option for your organization.

How? – “But, I have antivirus and a firewall.”  Yes, everyone has those, and they typically stop 25% of ransomware.  Why?  Dharma ransomware, as an example, uses an older version of the ESET antivirus application to phone home to its hacker.  These guys are smart.  Additionally, not all antivirus programs employ ransomware or malware protection, just standard antivirus.

More is Better… – Always diversify your antivirus/antimalware protection.  Some programs will not work together on the same computer, others will.  Do not use an account with administrative access on your computer.  If you don’t have full-time administrative access, the odds of something installing without your knowledge are lower.

…except when it’s not – Every salesperson will tell you their box or software will protect you from ransomware.  If you are a Fortune 500 company, there are several boxes required, each one very expensive with continuous maintenance required.  But no magic box can protect you.  Real protection from ransomware requires diligence from everyone in the company.

Assess – Policy is the first step in securing an organization.  Do you have a written policy, signed by all employees, contractors, and suppliers specifying their expected behavior AND consequences for not behaving properly?  If not, insurance and law enforcement will not protect you even if you catch the hacker in the act. Having a Business Impact Analysis statement assures that your C-levels are aware of the need for a plan.

Every company should perform regular Risk Assessments and practice Incident Management.  As Sun Tzu says, “one who knows the enemy and knows himself will not be in danger in a hundred battles”. 

Paper to the Rescue! – Good policy calls for a physical, printed, and bound copy of important information, available at your office and the homes of key personnel.  I’ve seen some wrapped in reflective tape with glow in the dark stickers!  Have you ever said, “I don’t need to print that, I have it electronically”?  WRONG!  PLAN for the worst.  HOPE for the best.

This is WAR, Soldier! – A defense-in-depth approach is the most viable solution to any security risk.  But, firewalls, antivirus, DNS protection, constant monitoring, and policy will not prevent your CEO from opening an email from a Nigerian prince, turning your data into the equivalent of a slow-motion video on Mutual of Omaha’s Wild Kingdom. 

Some technology, such as smart proxies, can be used to prevent internal users from browsing unsavory sites.  Adult sites are the Number 1 cause of drive-by-downloads, which are the second leading cause of malware and ransomware.  Windows Updates and protections won’t help if the user clicks a link.  Think of the proxy as a former Irish pub bouncer turned handsy TSA Agent.  Yeah, nothing gets through it unscathed.

The Answer? – The only true way to protect yourself and your organization from ransomware is SETA – Security Education, Training, and Awareness.  Many companies provide video modules teaching everyone how to recognize and avoid phishing emails.  Go a step further and coordinate a phishing campaign by a qualified training or security company.  The statics will verify if the training is working.  Monthly lunch and learns are very effective, especially if the boss is buying the corned beef.

The next post will guide you through the worst that can happen…The Attack!

mm
Shawn D. Stewart

Mr. Stewart has 25 years of experience with hundreds of international, commercial, military, and government IT projects. He holds or has held certifications with ISC2, Cisco, Microsoft, CompTIA, ITIL, Novell and others. He also holds a BS in IT, a Minor in Professional Writing and is a published author. He is scheduled to complete his Masters in Cybersecurity in August 2021.

Leave a Reply