Just about every week this year we’ve seen a news report about a city, corporation, hospital, or school system suffering a ransomware attack that brought operations to a halt.
Criminals are changing their tactics, turning away from individuals and focusing on organizations that have the ability to pay costly ransoms, especially organizations that lack sophisticated cyber security defenses.
Unfortunately, that often means small to medium businesses make easy targets, as they seldom have the expertise or resources to have the proper defenses in place.
In my role, I act as a virtual CIO for some of Ntiva's clients, primarily focused on cyber security challenges. I’ve seen many different forms of ransomware, and I'm often asked after an attack - "What should we do first?"
Of course, an ounce of prevention is worth a pound of cure, but let's dive in to some of the facts behind ransomware, including what to do if you're hit and the best way to prevent attacks in the first place!
What To Do If You're Hit With A Ransomware Attack
So, you’re seeing a ransomware attack happen right in front of your eyes. Here's a short list of actions you should take immediately!
- Inform your IT department or your Managed IT Service Provider of the attack ASAP
- Cut the power to your core switch (there are certain circumstances where you should NOT do this!)
- Disable all shares, including admin shares
- Use custom Windows firewall rules
- Disable RDP servers
- Locate the source of infection and quarantine it
- Restore damaged servers from a backup
Note that some of these recommendations will be disruptive and may break things, but they’re better than ransomware running wild through your organization. Here are some more details behind our recommendations:
Physically cut power to your core switch. This will stop the ransomware from spreading laterally and keep it from interacting with its control servers on the Internet. IMPORTANT NOTE: Don’t do this, of course, if you have applications using your network that protect the health and safety of people. Those applications will stop working if you do. If you have telephones on your data network, they also will stop working.
- Disable all shares, including admin shares. This likely is going to break some things, but it also will make it harder for the ransomware to spread.
- Windows Firewall Is Your Ally. Use custom Windows Firewall rules to prevent computers from talking to one another over the ports that ransomware is likely to use.
- Cut off Internet-bound traffic at your firewall with a quick rule change.
- Disable RDP servers.
- Locate the source of the infection and save it isolated for later examination; quarantine all other affected computers until they can be restored.
- Restore damaged servers from backup. Rather than just restoring encrypted files, recover the entire server from a known-good date. Having consistent and well-maintained backups is a key benefit of outsourcing your IT.
Does Paying The Ransom Mean You Get Your Data Back?
According to the latest reports, more than 621 government agencies, healthcare providers, and schools have fallen victim to ransomware this year, as of October 1st 2019.
And that doesn't include the thousands (yes, thousands) of small businesses who have been hit. Some report the attacks, but many others don't for a variety of reasons.
Ntiva has helped our own clients recover from 13 separate attacks this year, and we’ve stopped many, many more.
Why this rise in ransomware? In short, it’s making money.
People are paying the blackmail money to criminals, which is making ransomware a very profitable enterprise.
Cyber insurance firms are making matters worse by telling clients to pay ransoms since that often is less expensive than recovering systems.
All of this, of course, only encourages more criminals.
Does paying the ransom guarantee that the criminals will decrypt your data? Absolutely not.
Worse, they may have left behind a whole collection of hacker tools to use at a later date.
Learn The Most Common Ransomware Attack Vector
We usually think about email as a primary delivery vehicle for malware of all sorts, and it continues to be an extremely effective way to trick users into deploying ransomware.
One recent article noted an important attack vector that most organizations might not consider--open Remote Desktop Protocol (RDP) systems.
Attackers guess username and password combinations on exposed RDP servers until they get onto the server and then drop ransomware.
Once the ransomware has a toehold in an organization, it spreads rapidly from computer to computer and server to server by exploiting loose file permissions, open shares, and un-patched operating system vulnerabilities.
Variants Of Ransomware You Should Know About
There are a lot of great articles that provide technical deep dives on ransomware variants, but my goal here is to talk about some of the most important that we're seeing in the field, at a high level.
This originated in 2016 and is being delivered by brute-force attacks on open RDP ports (more on how to protect RDP later). Like other newer ransomware variants, Dharma deletes your local volume shadow copies so you’re not able to recover using earlier saved Windows snapshots.
Emotet, Trickbot, and Ryuk
These are three different software packages with different functions, and attackers often use them together. Emotet and Trickbot aren’t ransomware, but they’re often used to deploy ransomware, and we’ve seen the used in conjunction with Ryuk at our clients. This creates what has been coined “The Unholy Alliance.” They can all be found separately in the wild, of course, but I’m going to lump them together in a single package of woe.
Emotet essentially sets the stage for attacks by gathering information, stealing contacts from Outlook, and generally trying to gain access to whatever data it can. If you see a lot of unexplained locked user accounts on your internal network, that might be a sign that Emotet is active. Emotet can update itself several times a day, making it hard for traditional antivirus to find.
Trickbot is sometimes installed by Emotet as a means of capturing keystrokes, stealing credentials, and gathering information from web browsers. Trickbot originally targeted the financial services industry, but we’re starting to see it other places, such as education and the legal sector. It will use encryption to disguise itself from antivirus software. Trickbot, like Emotet, doesn’t encrypt data itself; it lays the groundwork and installs Ryuk.
Ryuk appeared in 2018, a spawn off ransomware that may have been developed by North Korea. Ryuk encrypts data and deletes shadow copies and has earned as much as $3.7 million in ransoms for its operators thus far, according to Crowdstrike, Ryuk was used in the recent Pitney Bowes attack.
How Can You Keep Ransomware From Striking In The First Place?
This is all well and good, you may be thinking, but how can you keep ransomware from striking in the first place?
With new strains of ransomware appearing in the wild all the time there are no certainties, but you can do a lot to reduce the likelihood of infection and reduce its spread.
Here is a comprehensive list of actions you should follow to help stop ransomware from penetrating your organization:
- Provide regular phishing prevention training to help your users recognize attacks
- Develop a security incident response plan and test it annually. Just like you need to re-certify for CPR, practicing incident response helps your IT team avoid panic and focuses them on their roles in the crisis.
- Discourage the use of USB drives. You don’t know where that USB drive has been, and neither do your employees. It may be a means of delivering malware.
- Remove local administrative privileges. You may get some push-back from your employees on this, but it’s a lot harder for ransomware to install itself if the user who triggers it doesn’t have the technical rights to install software.
- Patch your stuff! Some ransomware exploits known software vulnerabilities, and eliminating those vulnerabilities can prevent its spread.
- Only publish and connect file shares that are absolutely necessary. Since ransomware can spread by file shares and network drives, it’s important to reduce the number of those as much as possible.
- Follow the principle of least access. People should have access only to the bare minimum files that they need to be able to do their work. Ransomware can spread by hijacking the permissions of the person who inadvertently launched it. If that person’s access is limited, so will be the spread of the ransomware.
- Lock down RDP. Require that anyone connecting to RDP have to verify their identity with multifactor authentication (MFA). Employ an RDP Gateway to isolate the RDP server from direct contact with the Internet or place it behind a VPN connection (which requires MFA).
- Automate intrusion protection. Employ a firewall that will automatically block known bad IP addresses and domains involved in malware delivery. Most firewall web filters should have this capability.
- Block encrypted attachments at your spam filter. Attackers are encrypting Office files so that antivirus software and spam filters can’t scan them. Blocking encrypted attachments will prevent these from slipping through your defenses.
This may seem like a long list, but think of them as preventative ransomware safeguards!
Reaching Out For Cyber Security Help
This is all overwhelming, we know. But you need to think of this as a necessary investment in protecting your data from the cyber criminals who are lurking everywhere, looking for vulnerable data.
It's no surprise that there has been a steep rise in businesses looking for third party assistance to help them figure out how to lower their risks.
If you think you need help with this process, or just want to have your current setup inspected by our security experts, contact us to learn about our Managed Cyber Security Services including a complimentary risk assessment session.