Ready for ransomware? An executive perspective
Posted on 29 Jan 2019 by John Fehan
An old client was calling. His new employer had been hit with ransomware. Applications were down across their network, with servers encrypted. Active Directory was not responding; even laptops were dead. My client was calling for help. He was calling everyone for help—his old contacts, consulting firms, value-added resellers, vendors—everyone with whom he had relationships.
There are ways IT executives can prepare against the scourge of ransomware and best respond if it happens. In this post I’ll share direct experiences with ransomware, explain how it attacks, and provide smart questions an executive should ask their organization.
This information is shared to help executives understand and manage their organization’s response to the ransomware threat. For your specific environment, we recommend that your company conduct a risk analysis to determine the best course of action. Not clear on the value of a security risk analysis? Learn about security analysis and detection.
Executive perspective: What’s the difference between malware and ransomware?
Malware hurts; ransomware extorts. Malware is external software that causes harm, which is installed without permission on a victim’s computer.
Ransomware is a type of malware that extorts money from its victims. Ransomware most commonly does this by encrypting the hard drives of its victim. The victim cannot access their data unless a ransom is paid to the attacker. Some ransomware goes a step further and can be used as a weapon of war: with these variations, no ransom can be paid and no decryption is possible. The victim’s data is lost.
How do ransomware attacks happen?
Ransomware exploits a couple of vulnerability found in many enterprises. First the attacker must gain access to your network typically via one of two common vulnerabilities. Second, it spreads throughout your network via a third common vulnerability. Let’s take a look at each. To assist in preventing successful attacks, our cyber testing team frequently uses spear phishing campaigns to raise awareness among employees and uncover vulnerabilities.
Our client had been infected with the NotPetya virus, which is ransomware that has been weaponized. There was no key; there would be no decryption. There was no number to call, no ransom to pay.
Accessing your network: Spear phishing
With spear phishing, The attacker sends customized, targeted emails attempting to get a company employee to provide their credentials or to download malware on to their company laptop. Such emails can be very convincing.
When a spear phishing attempt is successful, and an authorized client machine is compromised, further attacks look like normal traffic coming from a trusted source. It is impossible to completely eliminate attacks via customized emails—but conducting spear phishing campaigns is a good technique to use regularly.
Smart Questions: Spear phishing vulnerabilities
- How can we detect company laptops that are compromised?
- How long does this detection take?
- Is it possible to detect compromise on everyone’s laptop, including external laptops?
Smart Questions: Trusted partner vulnerabilities
- What persistent server connections do we maintain with external partners or customers?
- How do we protect ourselves from attacks via these connections?
Smart Questions: Old operating systems
- What systems are running on unsupported operating systems?
- What extra security controls do we have in place to protect us from unauthorized access via unsupported operating systems?
Accessing your network: Trusted partner
Network compromise may also be gained via a trusted partner. The attacker deploys the ransomware through a persistent server-to-server connection with that trusted partner. Times of inattention may also be targeted—long weekends, inclement weather—when security monitoring is at its weakest.
Old operating systems
Another common vulnerability that increases one’s risk of a ransomware attacks are old operating systems. Once inside the network, the attacker can deploy ransomware by attacking servers running old, unsupported operating systems. SMBv1 is a protocol enabled by default on old Windows operating systems. It was quite helpful and often used to discover file shares and to share printers.Today SMBv1 protocol quite vulnerable to attack. Via this protocol, the ransomware compromises one server, obtains root access, and then uses that root access to authenticate with other servers throughout the network. The infection can spread across an entire network within hours, so fast that a manual response is not fast enough to prevent harm.
What is the impact of a successful attack?
The victim loses access to application and customer data. The victim also loses confidentiality of customer data and must report any corresponding regulatory violation. Data is assumed to have been read and exfiltrated during a ransomware attack as it cannot be proven otherwise. In summary, the impact is perhaps confidentiality, definitely availability, and potentially integrity.
Ransom is often demanded in bitcoin in an amount that is sizable, but reasonable to pay, at least the first time. Often systems that affect patient safety, such as treatment or monitoring systems, may be targeted to escalate the urgency of the demand. The deadline for ransom is often about one week: enough time to procure the money, but not long enough to debate. Bitcoin takes days to settle, so a decryption key won’t be supplied quickly, if one comes at all.
Steps after a successful attack
Our client had disabled the entire network including all external connections and remote access. The early priorities were to rebuild Active Directory and key systems from backups. Their backups were viable; but some were infected. What else did they need to do?
Public companies had to disclose their NotPetya ransomware infection as it was a material event, that is, it affected the company financial reporting and therefore, its stock price. Affected public companies were required to disclose the NotPetya infection, its affect on operations and data privacy, and in later quarters, the cost of recovery. Most affected companies reported the recovery costs in millions of dollars. Additional private companies were also affected but were not required to disclose the magnitude of the impact.
Whether to pay the
The victim is instantly forced to decide if they fully trust the integrity of their backups—or if they need to pay the ransom. Restoring from backups and validating that the backups are not infected can take weeks and the costs are considerable. It can take a week or two more for the bitcoin ransom payment to settle. Even after payment of a ransom, a decryption key may never be returned. And there is no refund if a decryption key never arrives!
Smart questions: The ability to respond to an attack
- What is our backup testing schedule?
- Are there any backups we do not test?
- How would we protect ourselves if we had to recover servers from backups that might be infected?
US law enforcement does not recommend paying ransoms following such attacks. It is believed that paying the ransom makes an enterprise a more desirable target for subsequent attack.
How to reduce one’s risk
Having a comprehensive HIPAA Privacy and Security program with board oversight is not enough to protect or prepare for a ransomware attack. TUV Rheinland OpenSky recommends a risk analysis be conducted to determine the best course of action for specific situations.
To focus on the top ransomware vulnerabilities and key protections, refer to the above smart questions. Click here to download a PDF of “Smart Questions to Ask to Prevent, Prepare for and Recover from Ransomware Attacks.”
If responses to the smart questions are vague or minimize the risk, don’t accept the answer! Require a comprehensive answer within days. Don’t let it drop, as the costs from successful ransomware attacks can be severe.
For specific situations, TUV Rheinland OpenSky recommends conducting a risk analysis to determine the best course of action to prevent ransomware attacks. To get started, see our services in security analytics and detection. In a future blogpost, we will share the real-life incident response we took following ransomware attacks, plus a checklist to reduce risk. Stay tuned for a future blogpost: “Engineer perspective: Checklist to reduce risk for ransomware attacks.”