Do you have a computer that has been hijacked by a malicious hacker asking for money to unlock it? Are they threatening you by adding a timer, only giving you so long to respond? Even worse, has this ransomware spread to other computers on your network and even included servers that contain business data that is critical to your company?
Ransomware is making a comeback. Here are two personal stories.
I just had a conversation with a friend whose company had been hit with ransomware. I haven’t seen ransomware for a while, maybe a couple of years ago. For them, it hit a couple of desktop computers and one of those machines included their accounting software. They asked me if I could fix it. It’s a hard position to be in, wanting to help people but not being able to because it’s too late. I explained I could look at it and see if it’s an older variant that has the decryption keys available (this simply means looking to see if the keys to unlock the ransomware are publicly available). If not, I explained, I can only help them with a roadmap to rebuilding and recovering from their loses. After that, we can help formulate a new plan for the future to help reduce this risk from happening again.
Then another friend of mine was sharing how they were having a hard time ordering parts from an e-commerce store. He finally had to call the store to try to get his time sensitive order in. He was told their systems had been impacted by ransomware that spread across most of the systems. This problem was preventing them from completing online orders, and even when that system is back up, the ransomware was causing a problem with inventory. So they didn’t even know if they had on hand what their website was showing. Because of all this, they had to take phone orders only, and then go and manually find and retrieve everything before calling the customer back and finishing the order over the phone. Can you believe it? The company leadership had made a decision to not pay the ransom. I respect that. Unfortely it puts all the burden on the technology staff to attempt to recover as much as they can.
What causes a system to be infected with ransomware?
Bottom line, missing security patches. Every strain of ransomware I’ve worked on and been able to bring to a close has involved an attacker exploit that was able to leverage a vulnerability within a computer system.
Computer system vulnerabilities can be broken down into three categories:
1. Vulnerability Identified & Patch Available
2. Vulnerability Identified & Patch not available
3. Zero Day Vulnerabilities – An exploit is available to attackers before the vendor even knows the system was vulnerable.
If was had to color code the severity of these three categories it would look like:
1. System has no vulnerabilities = GREEN
2. System has vulnerabilities, patch available = Yellow
3. System has vulnerabiltiy, there is NO patch available = Orange
4. Exploit in wild = RED
In every case of ransomware I’ve investigated, the system had a vulnerability and there was a patch available. Ouch.
If a patch was available, why wasn’t it safe and protected?
Bottom line, because the patches were not installed and applied on the system. Most systems do not automatically patch themselves. We’re just starting to see cloud applciation technology take adavantage of more automated patching. An exmaple of this would be Evernote. Evernote is a cloud applciation you can access on the Internet. I installed the Evernote client software on my computer for easier access and offline producitivyt. Once in a while, I will get a pop-up from Evernote telling me there is a softare patch available and asking me if I want to install it now.
Most software doesn’t work that way. It’s the end users responsibility to know what software they have installed, what version they have, and check the vendor regularly to see if any updates or patches are available. That can be a lot of work. That’s why companies with a large enough technology staff and budget implement specific software to help manage the patching and maintenance of the software available on the company network. This isn’t a fix all, as there can be issues trying to patch systems that go off the network like mobile laptops, but it can help add a lot of visibility to patch status. It’s also the technology departments role to subscribe, digest and read and review security bulletins from software vendors. Microsoft is a great example of a software vendor that publishes security patches every month. They list all the security vulnerabilities in their software and the relevant patches either available or not.
So if my computer is all patches up am I safe from ransomware?
Yes and no.
Yes from a vulnerability perspective. If you’re all patched up and there are no vulnerabilities on your systems you are safe from a ransomware attack via a remote exploit.
No from a user perspective. If the user of the computer had administrative rights (these are like ‘god’ rights) to the system, and the user gives permission to an unapproved piece of software to download and install, it could be ransomware.
What should I do to stop ransomware if y users have administrative access?
We recommend a multi-step approach. The first thing is security awareness training. This is something we at Asher Security specialize in and can work with you to build a program or help point you to some helpful resources if you want to do it yourself. The goal here is to train the user on how to identify malicious attempts to download, install software, and phishing attempts. We want to train users what the threats are, what they look like, and what they should do when they have an event that looks like a potential attack attempt.
The next thing you should do is perform a data classification inventory. This is a cybersecurity process that attempts to inventory what kind of data is on the computers and how sensitive or important it is. It’s like a risk assessment, but only for data, not systems. An output of this inventory is to see what computers hold data that presents a high risk. From this risk report, we can work to move the data to reduce the system risks or increase security controls on these systems to decrease the risk, or we build process improvements.
In the meantime, it’s a great practice to review your backup and recovery procedures. If a system were to get hijacked by a ransomware attack, could you recover the important data onto another system if you had to? Asking a question like how often is the data updated and comparing that to how often your backups take place will leave you with exposure time. Decide if that is an acceptable exposure time or not. If not, consider if more frequent backups can be scheduled or if other technology controls can be put in place to reduce the risk of important data loss.
The final thing we recommend is reviewing your endpoint security strategy. When we say ‘endpoint’ we mean the users computers. These are the computers the employees use to complete and fulfill their work duties. Endpoints do not include the backend servers. We just refer to those systems as ‘servers’. A part of an endpoint security strategy review is to ask the questions like; does the user need administrative access to the endpoint? If not, this is a huge and easy win to greatly improve your security posture and not decreasing productivity.
Ransomware is a giant pain. It causes this ethical wrestle, it takes time, it takes systems offline, it can prevent you from ever getting your data back, and as you can see in my personal true stories it can absolutely cost companies a lot of money.
We are dedicated to helping companies reduce their risk of cyber attacks here in Minnesota. We work with small and medium-size businesses in St. Cloud, Minneapolis, and St.Paul to build strategies and security controls. If you have any questions, we’re happy to help. We’re trying to build long term relationships with companies like yours, even if that doesn’t mean a sale.
Recent Comments