Ransomware happens -- get over it and be prepared
In its recent State of the Channel Ransomware Report, data protection firm Datto found that SMBs ponied up some $301 million to digital hostage takers over the course of the past year. According to the survey that claims to have spoken to some 1,700 MSPs, representing over 100,000 clients, 21 percent stated that their clients suffered six or more attacks last year.
Simply put, roughly one in five organizations were victims of ransomware. However more disturbing was that 99 percent of MSPs told researchers that they expect to see the rise in ransomware attacks continue to grow over the next two years.
Despite all the precautions and attempts to follow best practices to a T, there is always the possibility that your organization could be hit by a ransomware attack. You, your data, and operations are always vulnerable to a determined hacker that is bent on extorting you for cash or simply disrupting your business.
Let that sink in for a moment.
But isn’t there a way to be 100 percenbt protected with the right security product or through drilling your staff to never open that attachment from an unknown sender? The honest answer is not really. The only surefire way to really protect yourself is to completely unplug from the internet.
It would probably look something like this envisioning by The Onion of life after opting out from Google:
In order to work, your employees have to be connected and expose themselves to risk. With this in mind, the question is, how are you preparing for the day that your team will have to handle a serious threat?
The first and most obvious step is to do regular backups of your data. You should already be doing this. If not and this is the first time you are reading about ransomware, go do that now.
While we are on the topic of what should be obvious dos and don’ts, whatever you do, do not pay the thieves. Not only does it encourage them to keep at their evil ways, but there is no guarantee that they will even unlock your files after you pay. Some experts have suggested that in the new reality of exploit markets for malware, a lot of cybercriminals sending the ransomware don’t have the skills to explain to their victims how to decrypt their files.
For those of you who have already read a thousand and one rehashes of the same "best practices" to prevent getting infected, here are a couple of thoughts on what to do if someone on your team is unlucky enough to become patient zero at your company.
1. Use segmentation
As much of the risk of ransomware comes from the human element -- spear/phishing emails, malicious links, etc. -- there isn’t much to say on prevention that hasn’t been said before. That said, it may be worth implementing micro-segmentation in your network to contain the damage to as few endpoints as possible. Noopur Davis, the Chief Product and Information Security Officer at Comcast, has cited this method as one of the ways that she keeps her company’s massive network safe from attackers.
By sealing off your data into separate silos, you can keep more of your data safe in the event of a breech. Think of it like closing off the hatches on a ship. You might lose some sections by taking on water, but the ship is saved.
2. Assess the damage
Once you have plugged the leak by quarantining the malicious bit of code from reaching other parts of your system, it is time to start your damage control efforts.
Try to understand where you had stored your critical data. Are you using cloud services like Google Drive or Dropbox for backups? If so, have they been affected by the attack?
If you have organizational data on your endpoint, you need to inform your system administrator so that they can launch a more thorough search to understand if important company documents have been exfiltrated. While this can be painful, it can also give your team the necessary time to make adjustments and avoid further damages.
3. Help protect the herd
Just like any virus that we encounter in the wild, the best way to build up immunity is to study it. The good folks at MalwareHunterTeam have launched a data collection project called ID Ransomware. Affected users can upload details like the ransom note, a sample encrypted file, and other details that can help neutralize the threats.
If you are lucky, this tool might turn up a decryption key to unlock your data. Some of these keys have been released by the hackers themselves. With 490 documented ransomwares in their database, this could be one of your best shots at finding a free solution.
Still, don’t get your hopes up. The encryption used in these attacks can be very specific and you might not find a match. Tools like Virus Total might be of some help, allowing you to scan the malicious code for signatures.
4. Prepare for the next time
Try to plug your holes for the next attack. Statistically, there is always the risk of being hit a second time, especially if you failed to cover your vulnerabilities after the first time around.
Running phishing simulations for your team can help keep them on their toes. Afterall, a little paranoia never hurt anyone. Two interesting companies that offer these services are Wombat Security and IRONSCALES.
Another approach is the recreation of attachments as seen with ReSec wherein they essentially photocopy the incoming document, pushing through a brand new version that is void of any possible malicious macros or code.
However, phishing emails represent one part of your threat surface. Remote Desktop Protocol and Microsoft’s Server Message Block (SMB) offer hackers open gates to enter your endpoint and install their malware without requiring the user to click on a single email or link. The WannaCry attack of recent memory utilized the vulnerability to do its dirty work.
These remote hacks work by scanning for open ports. Webroot details in their report on this vulnerability how the bad guys will scan the web for open 3389 ports from which they can try and force open with brute force attacks. The simple answer here is to change the port number and reinforce security with measures like firewalls.
However, this too can be overcome by a determined hacker, so the critical element will be on having strong passwords for accessing the account. Make sure to change your default admin passwords to longer and more complex ones that will truly challenge a would-be attacker.
5. Get a Mac
Ransomwares for OS X have made their way into our consciousness but remain a considerable minority. Most attackers have taken aim at systems running Windows or Linux as they represent the vast majority of targets out there, especially in the corporate world. Perhaps college students, graphic designers, and other creative types are less lucrative. Scamming and stealing is all about aiming for the widest group possible with the least amount of effort. Macs are a smaller pool of users and have a closed ecosystem that has made them less attractive as targets.
So while most Mac users are probably a little too confident in their own security -- a situation that is likely to change in the coming years -- working with Apple does appear to provide some protection.
Reduce your risk of blunders
If you exposed the company to risk through a non-work blunder (think downloading torrents or worse), consider looking for another job after you’ve thoroughly covered your tracks. Mistakes will happen, and what matters most is whether or not you have measures in place to quickly pick up the pieces and avoid unnecessary downtime.
Rami Sass is CEO and Co-Founder of WhiteSource , the leading open source security and compliance management platform. Rami is an experienced entrepreneur and executive with vast experience in defining innovative products, leading technology groups and growing companies from seed level to business maturity.