Just about every week this year we’ve seen a news report about a city, corporation, hospital, or school system suffering a ransomware attack that brought operations to a halt.
Criminals are changing their tactics, turning away from individuals and focusing on organizations that have the ability to pay costly ransoms, especially organizations that lack sophisticated cyber security defenses.
In my role, I act as a virtual CIO for some of Ntiva's clients. During this time, I’ve seen many different forms of ransomware. This week I’d like to offer some practical tips on how a small or mid-sized business (SMB) should manage a ransomware attack if they are hit - and help avoid getting one in the first place.
But first, I want to scare you a little (if you aren't nervous enough already!)
2019 - The Year of Ransomware!
According to the latest reports, more than 621 government agencies, healthcare providers, and schools have fallen victim to ransomware this year, as of October 1st 2019.
Ntiva’s IT consultants have helped our own clients recover from 13 separate attacks this year, and we’ve stopped many, many more.
Why this rise in ransomware? In short, it’s making money.
People are paying the blackmail money to criminals, which is making ransomware a very profitable enterprise.
Cyber insurance firms are making matters worse by telling clients to pay ransoms since that often is less expensive than recovering systems.
All of this, of course, only encourages more criminals.
Even worse, paying the ransom doesn’t guarantee that the criminals will decrypt your data or that they haven’t left behind a whole collection of hacker tools to use at a later date.
Ransomware Attack Vectors - RDP
We usually think about email as a primary delivery vehicle for malware of all sorts, and it continues to be an extremely effective way to trick users into deploying ransomware.
One recent article noted an important attack vector that most organizations might not consider--open Remote Desktop Protocol (RDP) systems.
RDP was the vector in almost two-thirds of ransomware attacks in Q1 of 2019. Attackers guess username and password combinations on exposed RDP servers until they get onto the server and then drop ransomware.
Once the ransomware has a toehold in an organization, it spreads rapidly from computer to computer and server to server by exploiting loose file permissions, open shares, and un-patched operating system vulnerabilities.
Variants Of Ransomware You Should Know About
There are a lot of great articles that provide technical deep dives on ransomware variants; my goal here is to talk about some of the most important variants for SMBs that we're seeing in the field.
This originated in 2016 and is being delivered by brute-force attacks on open RDP ports (more on how to protect RDP later). Like other newer ransomware variants, Dharma deletes your local volume shadow copies so you’re not able to recover using earlier saved Windows snapshots.
Emotet, Trickbot, and Ryuk
These are three different software packages with different functions, and attackers often use them together. Emotet and Trickbot aren’t ransomware, but they’re often used to deploy ransomware, and we’ve seen the used in conjunction with Ryuk at our clients. This creates what has been coined “The Unholy Alliance.” They can all be found separately in the wild, of course, but I’m going to lump them together in a single package of woe.
Emotet essentially sets the stage for attacks by gathering information, stealing contacts from Outlook, and generally trying to gain access to whatever data it can. If you see a lot of unexplained locked user accounts on your internal network, that might be a sign that Emotet is active. Emotet can update itself several times a day, making it hard for traditional antivirus to find.
Trickbot is sometimes installed by Emotet as a means of capturing keystrokes, stealing credentials, and gathering information from web browsers. Trickbot originally targeted the financial services industry, but we’re starting to see it other places, such as education and the legal sector. It will use encryption to disguise itself from antivirus software. Trickbot, like Emotet, doesn’t encrypt data itself; it lays the groundwork and installs Ryuk.
Ryuk appeared in 2018, a spawn off ransomware that may have been developed by North Korea. Ryuk encrypts data and deletes shadow copies and has earned as much as $3.7 million in ransoms for its operators thus far, according to Crowdstrike, Ryuk was used in the recent Pitney Bowes attack.
What To Do If You're Hit With A Ransomware Attack
So, you’re seeing a ransomware attack happen right in front of your eyes. Here's a short list of action you should take immediately:
- Inform your IT department or your Managed IT Service Provider of the attack ASAP
- Cut the power to your core switch (there are certain circumstances where you should NOT do this, see below)
- Disable all shares, including admin shares
- Use custom Windows firewall rules
- Disable RDP servers
- Locate the source of infection and quarantine it
- Restore damaged servers from a backup
Below is more detailed information. Some of these recommendations will be disruptive and may break things, but they’re less bad than ransomware running wild through your organization!
Physically cut power to your core switch. This will stop the ransomware from spreading laterally and keep it from interacting with its control servers on the Internet. IMPORTANT NOTE: Don’t do this, of course, if you have applications using your network that protect the health and safety of people. Those applications will stop working if you do. If you have telephones on your data network, they also will stop working.
- Disable all shares, including admin shares. This likely is going to break some things, but it also will make it harder for the ransomware to spread.
- Windows Firewall Is Your Ally. Use custom Windows Firewall rules to prevent computers from talking to one another over the ports that ransomware is likely to use.
- Cut off Internet-bound traffic at your firewall with a quick rule change.
- Disable RDP servers.
- Locate the source of the infection and save it isolated for later examination; quarantine all other affected computers until they can be restored.
- Restore damaged servers from backup. Rather than just restoring encrypted files, recover the entire server from a known-good date. Having consistent and well-maintained backups is a key benefit of outsourcing your IT with Managed IT Services.
How Can You Keep Ransomware From Striking In The First Place?
This is all well and good, you may be thinking, but how can you keep ransomware from striking in the first place? With new strains of ransomware appearing in the wild all the time, there are no certainties, but you can do a lot to reduce the likelihood of infection and reduce its spread.
- Provide regular phishing prevention training to help your users recognize attacks
- Develop a security incident response plan and test it annually. Just like you need to re-certify for CPR, practicing incident response helps your IT team avoid panic and focuses them on their roles in the crisis.
- Discourage the use of USB drives. You don’t know where that USB drive has been, and neither do your employees. It may be a means of delivering malware.
- Remove local administrative privileges. You may get some push-back from your employees on this, but it’s a lot harder for ransomware to install itself if the user who triggers it doesn’t have the technical rights to install software.
There are certain fairly simple things that you can do to keep your business and your data safer from these types of attacks.
Think of them as preventative ransomware safeguards!
- Patch your stuff! Some ransomware exploits known software vulnerabilities, and eliminating those vulnerabilities can prevent its spread. Every good IT consulting company will tell you this is a top priority.
- Restrict privileged accounts. Eliminate local administrator rights for all computer users wherever possible and provide a separate privileged account for people who do need administrative access.
- Only publish and connect shares that are absolutely necessary. Since ransomware can spread by file shares and network drives, it’s important to reduce the number of those as much as possible.
- Follow the principle of least access. People should have access only to the bare minimum files that they need to be able to do their work. Ransomware can spread by hijacking the permissions of the person who inadvertently launched it. If that person’s access is limited, so will be the spread of the ransomware.
- Lock down RDP. Require that anyone connecting to RDP have to verify their identity with multifactor authentication (MFA). Employ an RDP Gateway to isolate the RDP server from direct contact with the Internet or place it behind a VPN connection (which requires MFA).
- Automate intrusion protection. Employ a firewall that will automatically block known bad IP addresses and domains involved in malware delivery. Most firewall web filters should have this capability. If this seems too burdensome, look at outsourcing all of this with Security as a Service (SaaS)
- Block encrypted attachments at your spam filter. Attackers are encrypting Office files so that antivirus software and spam filters can’t scan them. Blocking encrypted attachments will prevent these from slipping through your defenses.
Why You Need a Security IT Consultant To Help Protect Your Business From Ransomware
This is all overwhelming, we know. But you need to think of this as a necessary investment in protecting your data from the cyber criminals who are lurking everywhere, looking for vulnerable data.
It's no surprise that there has been a steep rise in businesses looking for top IT Consulting Services to help them figure out how to lower their risks.
If you think you need help with this process, or just want to have your current setup inspected by our security experts, contact us to learn about our Managed Cyber Security Services and schedule a private risk assessment session!