We’ve seen a number of small and larger companies in our network targeted by ransomware in recent weeks so it seemed worth diving into some detail to talk about this topic - which I believe is a clear and present danger for companies of all sizes, including Jemurai!
We’ll talk about what we see and how to protect yourself or your organization.
The first few times I heard about ransomware, it was based on what seemed like random attacks on individual systems that were unlucky enough to be infected with the Ransomeware malware one way or another. The result was typically a single laptop that was “encrypted” and a ransom on the order of $1000 in Bitcoin.
The malware was distributed in lots of ways, but probably the most likely was by being planted in a site that an unsuspecting employee visited.
What we are seeing now are much more elaborate, targeted, contextual, directed attacks against companies. The infection vector might be an exposed server, phishing or a watering hole attack like the old days. But the actions after the compromise are quite different. Rather than immediately locking down the computer that has been owned, these attackers used that as a pivot point to move through the target organizations network to gather information and move to additional targets.
These adversaries are advanced enough to seek out online backups, staging systems and other resources that could have been useful during an unassisted recovery. They likely put backdoors on many systems they attacked.
We have seen Bitcoin ransoms ranging from tens of thousands of dollars to millions and they appear to be commensurate to the size of the business. Make no mistake, the attackers know who they are attacking and what the potential damage is.
It’s not only the attackers that are evolving. It has been noted that cyberinsurance may be evolving. The companies we talked to use a third party to negotiate and deliver the ransom.
As with many security goals, avoiding ransomware is a very difficult task that requires knowledge, attention to detail and a broad and ongoing commitment. In short, it is not easy and may not even be realistic in some cases.
That said, there are some important basic things that go into securing an organization from ransomware.
A key part of avoiding a ransomware event is empowering your employees to avoid visiting suspicious sites, disclosing their passwords, or falling victim to phishing schemes.
Another benefit of education is that employees’ observations can be an important mechanism for early detection. Ideally, we want our teams to understand how important it is to speak up when they see something suspicious.
Some of the cases we’ve seen appear to have been triggered by poor password hygiene. A password was guessed, reused, entered into the wrong system, phished, etc.
Our suggestion there is to implement a password manager. Bitwarden is an interesting example we have seen and used. It isn’t quite as slick as some of the other services but it is open source and you can run the server yourself if you want.
Other things that protect identity include:
- Multi factor authentication (MFA) - hopefully with an app based authenticator (e.g. Authy).
- Single Sign On (SSO) - using a minimum number of places to manage users gives you the best chance of fully disabling accounts in a timely manner.
Ultimately, your systems are only as secure as the passwords of the people that run them.
Sometimes we see companies with flat networks. Any machine can see any other machine once they join. This is not a good situation. Ideally, we want to see segmented networks (think disconnected graphs) that represent different parts of the business. In theory, we don’t want a compromise in one area to result in a broad compromise. That’s easier said than done in reality but maintaining proper network segmentation can significantly help to contain or lead to detection of a potential intrusion.
Look for financial systems and production systems containing customer facing applications to be on isolated and highly protected network segments.
It should go without saying that servers (and endpoints for that matter) should be patched. Failure to keep up with patching, even on an internal network, makes it easy for an adversary to move around and compromise new systems once they are in the door. (MS08-067 FTW)
So patch often and aggressively.
In the event that an intruder locks you out of a particular system, in this case by encrypting it, you basically have to either find a backup or pay the ransom to get out of that situation.
Now, it is easy to say “make backups”. However, having and testing real backups is something we see companies struggle with all the time. It is even harder when what we’re saying is that you have to have secure backups.
What does that even mean? It means offline backups that are frequent and recent enough to be useful. They have to be offline (or otherwise protected) to ensure that they don’t get encrypted when everything else in your organization gets encrypted. We’ve seen attackers encrypt backups and test environments to ensure that the nearby online data can’t be used to break out of the ransom situation.
So keep backups, but also make sure you know which backups really are business critical and treat them as such, with commensurate attention, investment and protection.
Remember, the reason companies end up paying ransoms is that it is cheaper to pay the ransom than to suffer the downtime required to figure out how to restore.
Another important element of protecting your organization is making sure a compromise or breach is detected as early as possible. Many organizations use intrusion detection systems (IDS) for this, in combination with a Security Incident and Event Management system (SIEM).
This is not necessarily easy and even well meaning outsourced partners (eg. SOC MSSP) are not always well positioned to properly identify attacks when they are successful.
But if you’re not watching your house, you don’t know who is in your house. Better not to be surprised that you have a host of long standing visitors…
I do wonder… when the ransom gets paid and the servers get unlocked to bring a company back online, do the backdoors get removed?
To truly prevent the type of ransomware attack this post talks about, you need to comprehensively secure your environment. That may not be easy or possible for some organizations, but we are increasingly seeing consequences and wanted to lay out at least some of the basics in a public blog post in the hopes that it may help someone.
Want to stay up to date with the lastest from Jemurai?
Sign up for our monthly newsletter!