Four Actions to Prevent Ransomware

By: (Network+, CISA)

Publication: The Community Banker , Summer 2016

The Community Banker Summer 2016

Malware is a constant threat to networks. While primarily affecting Windows systems in the past, newer versions of malware can wreak havoc on Linux and OSX systems as well. The malware variant that is becoming increasingly more popular and devastating is ransomware. Ransomware results in the encryption of local and network-mapped files followed by a ransom request to the user. Ransomware affects home users, police departments, banks, and even hospitals, with no sign of slowing down due to the level of anonymity associated with bitcoin, the ease of spreading the software, and the likelihood of payout by infected users.

Ransomware can be dealt with in a couple ways: either through mitigating controls to lower both the risk of infection and the damage caused, or by recovering data from backups after encryption has occurred. The best option, of course, is preventing infection in the first place and the controls below can help prevent ransomware from threatening files and ruining your day.

  1. User training – As users will always be the weakest link, there can never be enough user training. While there have been some instances of legitimate websites delivering ransomware, these are rare; the typical delivery vehicles of ransomware are phishing emails and insecure websites. Technical controls such as Internet content filtering and email sorting can aid to an extent, but teaching users to be wary of phishing emails and unknown websites should be standard practice.

  2. Antivirus or ransomware prevention tool – Antivirus detection methods are not as effective as they once were, but up-to-date virus definitions can still be beneficial in preventing ransomware from executing. In addition, companies such as Malwarebytes1 are working on anti-ransomware tools that add an extra layer of security.

  3. Least privilege – The idea of least privilege is to prevent access to information a user has no business need to access. In this instance, restricting or removing file access controls so users only have access to the information they need could prevent encryption of sensitive data. If the user does not have access or only has read-only access, then the files in the folder are protected from ransomware as well.

  4. Air gapped backups – As mentioned above, network-mapped files are just as susceptible to encryption by ransomware as local files. This includes cloud storage drives such as Dropbox and OneDrive and internal network drives the user has access to. Although tape backups, by nature, create an air gap for the backup data, the trend of having instant network backups for disaster recovery has led to a decrease in tape usage and an increase in disk drives that can be easily accessed and replicated. As a result, it is extremely important to either keep backup drives from being mapped on the network or to reinstate the tape backup process for secondary backup purposes. If tape backups are too expensive or time consuming, then a dedicated backup through a trusted cloud provider would also be an effective option.

What if we’ve already been infected?

If ransomware infection isn’t prevented, then recovery or restoration of the data after encryption needs to be addressed. Whether or not to pay the ransom may seem like an easy decision; however, depending on the quality of the backups and the user’s situation, it may become more complicated. Before you make a decision, keep these scenarios in mind:

  1. Pay the ransom
    1. Ransom is paid and files are unlocked – It has been common for the decryption key to be provided after bitcoin payout of the ransom. While this would allow access to the encrypted files, it needs to be determined if the files can be trusted and if risk of reinfection exists. Remember, someone else has modified the data, and has already shown to be untrustworthy, so careful consideration needs to be made.

    2. Ransom is paid and files are not unlocked – Recently, Kansas Heart Hospital2 was hit with ransomware and paid the ransom. Unfortunately, instead of providing a decryption key, the attackers asked for another ransom payout.

  2. Don’t pay the ransom

    1. Find an available decryption key – On occasion, researchers or antivirus software makers are able to discover a way to provide decryption keys for specific ransomware variants, which can then be used to decrypt the infected files. Additionally, ransomware makers can sometimes have a change of heart and release the master decryption key, as was the case with the Teslacrypt3 ransomware.

    2. Recover from backups – The ideal method for dealing with ransomware encryption is to restore from recent backups; however this is only effective with a strong backup process, and only works if the backups were protected from the ransomware encryption process.

The ransomware threat is going to be around for a while, so it is imperative that steps are taken to lessen the probability and impact of an infection. Keep regular, verified backups in place to ensure the integrity of the data for full restoration so that business can proceed as usual.

 

Daniel Lindley is a Security and Compliance Consultant for CoNetrix. CoNetrix is a technology firm dedicated to understanding and assisting with the information and cyber security needs of community banks. Offerings include: information security consulting, IT/GLBA audits, security testing, cloud hosting and recovery solutions, and tandem software, used by over 1000 financial institutions to help manage their information security programs, cybersecurity, and more. Visit our website at www.conetrix.com.

 

1 https://blog.malwarebytes.org/malwarebytes-news/2016/01/introducing-the-malwarebytes-anti-ransomware-beta/

2 http://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.html

3 http://www.securityweek.com/alleged-author-locker-ransomware-publishes-decryption-keys