Over the years malware has changed a lot; from office pranks, to malicious intent, and for profit, the evolution is constant. We saw things change when worms were introduced causing harm to networks. Trojans were introduced allowing remote access, opening the for door malicious activity or theft. During the last 10 years the threat landscape has once again evolved. Scareware was introduced which would trick users into “purchasing protection” when in reality it was just giving money to the attacker and the infection staying behind. As users began catching on the profits (although still large) were reduced. The latest, and possibly most devastating, is known as ransomware or crypto-ware.
So, what is it?- Essentially the malware holds your data hostage. When first unleashed, only certain file types were “locked” and if a user wanted access again it would cost them. Skip forward a couple of years and we are at the point that the entire drive is encrypted preventing even booting to the pc. Most common variants now encrypt directories and file types but also clear things such as shadow copies that could be used to restore clean versions of these items. In addition most search for network shares and encrypt this data as well. There have been cases in the media recently where a single infection hopped around the network infecting every workstation and server shutting down business operations completely.
How does this happen?- This breed of infection is spread the same as most generations of malware before it. Spam and watering hole attacks top the list. If you have used email you have encountered spam. This unsolicited junk mail is often ignored, but the social engineering involved is getting more realistic. Unpaid invoices, shipping notifications, simple things that one may see day to day in business are being forged and sabotaged. Watering hole may be a term many are not familiar with. Suppose an lion wants to find many gazelles at once and catch one with his guard down. A watering whole is an excellent place to find a herd and ambush. This concept in the cyber world could be a post in a forum posing as a solution to a problem. Similarly, drive by attacks and malvertising are used. Suppose a site delivering advertisements to other websites gets compromised and malicious ads replace the legitimate ones. Now the malware can spread across hundreds of websites to thousands of users easily in seconds.
I’m not a target.- These types of infections can be targeted, but more often than not the malware is spread indiscriminately. Attackers often cast a large net to try and infect as many as possible with minimal effort. Targeting a user or business requires research and insight into their brand and operations. While very easy to find, it does take some time. Just like any tax paying businesses, malware authors are out to make money. We all know time is money and any business model requires the ROI to be larger than the investment.
Joke is on them, our data isn’t on the workstations.- Is it safe? Most variants now not only encrypt what is found on the local machine but searches for file shares and mapped drives the user has access to. Like most malware, ransomware can move laterally through a network infecting multiple machines. In some cases all storage volumes were affected. This means even attached flash drives or usb harddrives were encrypted. Imagine if a file server was infected and it was having data backed up to a usb drive. Now, not only is the production data unavailable but its backups are useless. How would your company fare if it had to start over tomorrow with no documents? This has been the case for many businesses in the last couple of years.
A few recent headlines outlining the significance of this problem
- Alarm in Texas as 23 towns hit by ‘coordinated; ransomware attack.
- Louisiana declares state of emergency after cybercriminals attack school districts.
- Jackson Public Schools victim of cyber-attack.
How did they get back up?- Business continuity is something that keeps every business owner up at night. Many organizations have procedures for events such as outages and infections. Depending on the ransomware, some businesses have been able to recover from local backups on USB drives. Others have had to restore shares from tape backups when the USB backups were also encrypted. Others still have had to reimage machines with older offline copies leaving data days or months out of date. Unfortunately, some businesses have been unable to recover any data and paying the ransom does not always yield restored access.
So what can you do?- Prepare. There is no silver bullet in the world of cyber security and unfortunately there are never guaranties. The best thing to do is to maintain a layered approach when it comes to security. We have discussed layered security before. Employee training on trends and what to look out for, maintain defense at both network and host layers, utilize DMZ’s, install updates and patches, spam filters, web filters, reporting and usage analytics, verify permissions, etc. The list goes on. User awareness is a critical factor that often goes over looked. After all, it could be the receptionist that opens the infected document from email.
Perform backups. Verify your backups, not all backups are created equal. Prepare for disaster. Simply copying files to a cloud storage often leads to a false sense of security. Replication is not the same as a backup. Once the encrypted files are synced to the cloud servers, it will appear so on all devices. The best approach is to utilize retention with backups. Keep several versions so that files and directories can be recovered from points in time prior to encryption. Keep a rolling offline backup be it tape or a USB drive that is only plugged in for the backup and removed until the next scheduled backup.
It has happened.- If you find yourself in a situation where files within your organization are unavailable to you due to malware, there are steps to take. Depending on your level of preparedness the incident can vary from a minor annoyance to a catastrophe for the business. Below are general steps but are not one size fits all. Some scenarios will require outside help, some will require intervention from authorities, and some may need to follow policies set within the organization.
- Isolate the systems – try and prevent the infection from further spreading.
- Scope out the damage – to what extent is the damage? What machines were hit? What file shares? Are backups affected?
- Create an image – for compliance measures or potential investigations you want analysis to be possible. If you intend on getting authorities involved to try and track down the attacker, it would be nice to have something to give to them.
- Remove the malware – get the source off of the machines. If you are able to get the data recovered you do not want it to repeat the incident.
- Restore from backups – get the data back. Restore from images if you have them. If you have to restore directories or files from snapshots reformatting the systems is strongly advised.
At Upton Technologies we are here to help. If you have had an outbreak we will do our best to help you get through. If you are wanting to better your odds in preventing and thwarting these attacks we can help assess your current posture and develop remediation plans.
Ryan Stephens
Senior IT Security Consultant at Upton Technology