Posted on 12/19/2019 6:48:51 AM PST by Alas Babylon!
The increased connectivity of computers and the growth of Bring Your Own Device (BYOD) in most organizations is making the distribution of malicious software (malware) easier. Unlike other types of malicious programs that may usually go undetected for a longer period, a ransomware attack is usually experienced immediately, and its impact on information technology infrastructure is often irreversible.
As part of Microsofts Detection and Response Team (DART) Incident Response engagements, we regularly get asked by customers about paying the ransom following a ransomware attack. Unfortunately, this situation often leaves most customers with limited options, depending on the business continuity and disaster recovery plans they have in place.
The two most common options are either to pay the ransom (with the hopes that the decryption key obtained from the malicious actors works as advertised) or switch gears to a disaster recovery mode, restoring systems to a known good state.
The unfortunate truth about most organizations is that they are often only left with the only option of paying the ransom, as the option to rebuild is taken off the table by lack of known good backups or because the ransomware also encrypted the known good backups. Moreover, a growing list of municipalities around the U.S. has seen their critical infrastructure, as well as their backups, targeted by ransomware, a move by threat actors to better guarantee a payday.
We never encourage a ransomware victim to pay any form of ransom demand. Paying a ransom is often expensive, dangerous, and only refuels the attackers capacity to continue their operations; bottom line, this equates to a proverbial pat on the back for the attackers. The most important thing to note is that paying cybercriminals to get a ransomware decryption key provides no guarantee that your encrypted data will be restored.
So, what options do we recommend? The fact remains that every organization should treat a cybersecurity incident as a matter of when it will happen and not whether it will happen. Having this mindset helps an organization react quickly and effectively to such incidents when they happen. Two major industry standard frameworks, the Sysadmin, Audit, Network, and Security (SANS) and the National Institute of Standards and Technology (NIST), both have published similar concepts on responding to malware and cybersecurity incidents. The bottom line is that every organization needs to be able to plan, prepare, respond, and recover when faced with a ransomware attack.
Outlined below are steps designed to help organizations better plan and prepare to respond to ransomware and major cyber incidents.
1. Use an effective email filtering solution
According to the Microsoft Security Intelligence Report Volume 24 of 2018, spam and phishing emails are still the most common delivery method for ransomware infections. To effectively stop ransomware at its entry point, every organization needs to adopt an email security service that ensures all email content and headers entering and leaving the organization are scanned for spam, viruses, and other advanced malware threats. By adopting an enterprise-grade email protection solution, most cybersecurity threats against an organization will be blocked at ingress and egress.
2. Regular hardware and software systems patching and effective vulnerability management
Many organizations are still failing to adopt one of the age-old cybersecurity recommendations and important defenses against cybersecurity attacksapplying security updates and patches as soon as the software vendors release them. A prominent example of this failure was the WannaCry ransomware events in 2017, one of the largest global cybersecurity attacks in the history of the internet, which used a leaked vulnerability in Windows networking Server Message Block (SMB) protocol, for which Microsoft had released a patch nearly two months before the first publicized incident. Regular patching and an effective vulnerability management program are important measures to defend against ransomware and other forms of malware and are steps in the right direction to ensure every organization does not become a victim of ransomware.
3. Use up-to-date antivirus and an endpoint detection and response (EDR) solution
While owning an antivirus solution alone does not ensure adequate protection against viruses and other advanced computer threats, its very important to ensure antivirus solutions are kept up to date with their software vendors. Attackers invest heavily in the creation of new viruses and exploits, while vendors are left playing catch-up by releasing daily updates to their antivirus database engines. Complementary to owning and updating an antivirus solution is the use of EDR solutions that collect and store large volumes of data from endpoints and provide real-time host-based, file-level monitoring and visibility to systems. The data sets and alerts generated by this solution can help to stop advanced threats and are often leveraged for responding to security incidents.
4. Separate administrative and privileged credentials from standard credentials
Working as a cybersecurity consultant, one of the first recommendations I usually provide to customers is to separate their system administrative accounts from their standard user accounts and to ensure those administrative accounts are not useable across multiple systems. Separating these privileged accounts not only enforces proper access control but also ensures that a compromise of a single account doesnt lead to the compromise of the entire IT infrastructure.
Additionally, using Multi-Factor Authentication (MFA), Privileged Identity Management (PIM), and Privileged Access Management (PAM) solutions are ways to effectively combat privileged account abuse and a strategic way of reducing the credential attack surface.
5. Implement an effective application whitelisting program
Its very important as part of a ransomware prevention strategy to restrict the applications that can run within an IT infrastructure. Application whitelisting ensures only applications that have been tested and approved by an organization can run on the systems within the infrastructure. While this can be tedious and presents several IT administrative challenges, this strategy has been proven effective.
6. Regularly back up critical systems and files
The ability to recover to a known good state is the most critical strategy of any information security incident plan, especially ransomware. Therefore, to ensure the success of this process, an organization must validate that all its critical systems, applications, and files are regularly backed up and that those backups are regularly tested to ensure they are recoverable. Ransomware is known to encrypt or destroy any file it comes across, and it can often make them unrecoverable; consequently, its of utmost importance that all impacted files can be easily recovered from a good backup stored at a secondary location not impacted by the ransomware attack.
Follow us at @MSFTSecurity for the latest news and updates on cybersecurity.
I've been called in to help one city and it's a real hot mess. None of the above steps were really being taken except in certain areas. Good Christmas bonus for me but still a shame.
Foolish for back ups to be anywhere except secure and off site (and not network drives).
VM images make short work of restores. It doesn't have to be painful.
If you backup regularly you can survive any ransomware attack.
My main machine is a Dell desktop system. I have 2 drives that are in a RAID1 (Mirror) configuration. Each weekend, I open the box, yank one of the 2 drives, put it on a shelf, and replace the yanked drive with one that has had the partitions erased. Once in the machine the motherboard BIOS rebuilds the boot drive to the fresh blank drive.
If I get a virus or ransomware, I erase both drives, delete the partition and replace one of them with last weekend’s backup.
The system boots up, and rebuilds the last backup to the erased drive and just goes on. During rebuild, I can still use the computer, just at about 60% normal speed while the rebuild takes place (about 4-6 hours for a 2TB system).
Absolutely.
One cheap USB drive to store a system image and/or VM vhd.
Seagate and WD USB 1TB drives at Amazon for 44 bucks.
Isn’t FReeping worth it?
Can a program be written to stop encryption as it's detected and alert the user? 'You are about to encrypt your work. Do you want to continue?'
Ransomware will continue until laws are passed making the consequences of getting caught and convicted so onerous that you dare not risk it.
small city government, and smallish regional hospitals are very vulnerable....and many of them just pay, and then hope for the best
Of course you pay. Then you go about doing things right
that’s pretty bad, but a pragmatic reality :(
If ya pay once, you’ll pay again and again and again.
Clicking on a search result and without any warning, a ransom note popped up!!
My first thought was to wipe the drive and restore it.
A quick call to my friend and Linux Guru.
When he stopped laughing, he said to reboot and had me run some diagnostics. And everything was AOK.
Ubuntu 18.04 LTS
Thank You, Linus Torvalds!!!!
And the Bionic Beaver!!!
I’ve been getting emails with a former password in the subject line.
They claim they hacked my camera and have my passwords from a key logger.
They asked for a pretty low amount of money. Threatened to release video of me watching porn. I’m a woman, don’t get into porn. I had porn gif pop up when I was scrolling through pictures on my phone. Can’t remember what I searched, but it was totally innocent!!
Is it possible they got it from phone? I get emails every few weeks. I’ve just ignored them but changed ALL my passwords anyway. Just in case.
Should I report to police?
They must have some info on me because it was one of my older passwords.
Relax. They get the old passwords by purchasing them on the Dark Web, then they make these bogus emails.
They got nothing. But do make sure you change your passwords.
The problem is, so many legitimate programs use encryption that if they set one of those User Account Control pop-ups to be triggered by it, every user would just disable it or ignore it because it would be happening all the time.
Yeah, some pop-up spam is just designed to look like ransomware but doesn’t actually encrypt anything on your system. Kind of like the fake “VIRUS DETECTED” pop-ups.
Some have a delivery method - Javascript attachments. Since most people have the default turned on in Explorer - not to show file extensions - they will name a file something like Invoice.txt.js. Since the .js extension doesn’t show up, the file looks like Invoice.txt.
Most people will assume that is safe to open ( Microsoft doesn’t help matters, because the default icon for a javascript extension resembles a document icon ). People will click on this and it will execute the script, connecting to a download server, fetching the actual ransomware in the form of a Windows program (an .EXE file), and launching it to complete the infection.
The way to counter this is to create a text file with notepad and rename it with the .js extension. Then right click on it and tell it to open this with Notepad from then on.
This way if one accidentally downloads one of these and clicks on it, it won’t execute.
Create a text file by right click and new Text document and save as All files with a name like: ransomwareprotect.js
Then right click on it and highlight open with and choose Notepad
Notepad is located in c:\windows folder.
Choose another app (win10) Win7 is similar.
Then check the box:
Always use this app to open .js files and click ok.
Store the file anywhere like the Desktop or Documents.
It’s time to sue the shit out of Microsoft. What kind of dumbass company allows anonymous encryption of files, and yet provides no stop gaps for asking for confirmation from the user if they want to encrypt files?
“Foolish for back ups to be anywhere except secure and off site (and not network drives).”
No longer true. We are triple backed up. One B/U, and B/U offsite. These programs now have timers before they execute. Our backups are continuous. One every half hour, the other one every hour. When we got hit, the first one executed and started on our primaries. The second one started on our local backups. Our IT group was doing some work on the system, and so the downtown back up didn’t start for about and hour and a half.
When they realized we were hit, the called downtown and pulled the plug. It was really more luck than anything else that we were able to save those servers.
Thanks for the info.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.