What to do after a ransomware attack [Q&A]
Ransomware is a major problem and ideally while you'd like to avoid being attacked, the chances are that at some point you're going to be a target.
So, what happens following an attack and what should organizations be doing immediately afterwards to lessen the impact? We spoke to Ed Williams, EMEA director of SpiderLabs at Trustwave, to find out and to get some tips on how to proactively secure against ransomware attacks in future.
BN: Why has ransomware become such a problem?
EW: I would say ransomware is very broad, it's also indiscriminate so if you've got an RDP instance that's unpatched, or got weak credentials, you're going to get targeted. Similarly with software vulnerabilities, or a major release, or some type of an exploit, there'll be ransomware gangs weaponizing that bit of software or that vulnerability and then incorporating that into their code. And then because ransomware as a service has exploded along with the cloud it's easy just to build in background, you scan the internet to see what works.
When we're doing vulnerability scanning and ransomware readiness tests something will get compromised or something that we'll have a missing patch and be vulnerable. We will bring it to the attention of the business and they’ll say one of three things: "I don't even know what that is. I thought we turned it off. We can't patch it." It's really difficult for an organization but they need to have really good asset management and change control.
We always always recommend segregation and micro segmentation. To be able to do it properly, you need to really understand what data flows through your organization, how it flows, where it needs to go and where it shouldn't be.
BN: So what you do when all the defenses have failed and you suddenly find that you've got some devices on your network infected with ransomware?
EW: From our experience there are two types of organization. One has done some tabletop exercises, knows what the process looks like and is just following the process. They isolate the machines from the network and determine what the problem looks like. Once you've done that then formulate a plan and refer to backups to recover. It's important to find the initial point of infection and shut that down.
The next thing that probably needs to happen once you've got on top of it is a look at data going out. In the last year ransomware gangs are also stealing data, so you're trying to figure out what's been taken, what command and control channels have been used and how can you stop that, stop them from getting access in future. Then you look at what else have they done, have they plugged in additional users or left malicious code that had some delay?
Immature organizations on the other hand, the first thing that they do is panic, and probably do the wrong thing. They try and turn machines off, left right and center where what they need to do is to figure out exactly what's going on.
BN: What can you do if you're caught unprepared?
EW: The best thing to do is bring in a trusted third party that's got some sort of digital forensics incident response. They will guide you through the process of what needs to be done, I think that is really important. Of course that 30-day panic is, okay, we have a ransomware attack, let's increase our maturity and assure that if another variant or something else comes out we are never going to be at risk of being caught or being exposed.
But you can't remove the risk completely. What you can do is improve your time to detection and your time to response by making sure that there are appropriate tabletop exercises and teaming exercises to figure out what's really important to your organization. Going on what is compromised, and that could be some sort of personal data or some sort of sensitive database, then you can wrap triggers around them based on using common attack frameworks.
Once you've got the basics covered, it's going to help you with your telemetry, or with user access or whatever it might be. It is really, really critical for organizations to focus on the basics, not because they're easy, but because they're the things that every organization, regardless of size needs to have in place.
BN: How important is it to identify the particular strain of ransomware that you've been infected with?
EW: We know how ransomware gets in, we know how it propagates internally. In the short term if you're getting attacked then it's probably very important that you know what that ransomware is and what it's capable of doing and what is likely to go back to command and control.
More broadly speaking it’s probably less important. I wouldn't, if I was conducting a ransomware readiness study, focus on, "You're probably going to get attacked by this bit of ransomware so let's, let's make sure that your defenses and how you respond are focused on that." I think it's broader than that, we should be looking at the wider threat.
BN: What about protecting systems in the cloud?
EW: Organizations slightly get confused about what is the cloud provider's responsibility and what is their responsibility. We know there's a shared responsibility model, depending on what type of Infrastructure-as-a-Service, Software-as-a-Service, Platform-as-a-Service or Application-as-a-S service is used, you need to make sure you understand the security. When we go back a year or 18 months, there was an expectation that all the cloud was patched and up to date, but that isn't always the case. As clients become more mature they come to realize that there is a bit more of an onus on them to understand what they're putting in the cloud and then wrapping services around that.
BN: So, the -- possibly literally -- $64,000 question, should you ever consider paying the ransom?
EW: My personal view is no. Ransomware has got really sophisticated, we know that they're stealing data, so why would you want to deal with somebody who already has your data? There's absolutely no reason why once you pay them that they're going to delete your data. If you're looking at Bitcoin they say it's traceable, but you've got no idea where the wallet is. Yes it is traceable to the point where you have the wallet address but if they take it off an exchange onto a hardware wallet you’ve lost it.
But if you speak to different people you get different views. There will probably be some legislation down the road giving guidance around payment. I'll be honest, we've seen organizations who are preparing to hold payment just in case something does happen, they've already made that decision that they can pay. They've got their Bitcoin ready and if the worst does happen they can react quickly so they don't have to go and buy Bitcoin. We do see organizations doing that, as a rule we don't recommend it but ultimately it's their business, their risk.