Listen To This Article - A Short Ad Pays For This Service
SCARS™ CYBER BASICS: Ransomware
Ransomware Is A Multi-Billion Dolar Industry
This document is written for more technical readers.
Ransomware is malware that locks your computer and mobile devices or encrypts your electronic files. When this happens, you can’t get to the data unless you pay a ransom.
HOWEVER, THIS IS NOT GUARANTEED AND YOU SHOULD NEVER PAY!
What Is Ransomware?
Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted, or encrypted. Some ransomware will also try to spread to other machines on the network, such as the Wannacry malware that impacted the NHS in May 2017.
Normally you’re asked to make a payment (often demanded in a cryptocurrency such as Bitcoin), in order to unlock your computer (or to access your data). However, even if you pay the ransom, there is no guarantee that you will get access to your computer, or your files. Occasionally malware is presented as ransomware, but after the ransom is paid the files are not decrypted. This is known as wiper malware. For these reasons, it’s essential that you always have a recent offline backup of your most important files and data.
Should I Pay The Ransom?
Most entities generally advise not to pay the ransom, as there is no guarantee that you will get access to your device (or data).
Using A Defense In-Depth Strategy
Since there’s no way to completely protect your organization against malware infection, you should adopt a ‘defense-in-depth’ approach. This means using layers of defense with several mitigations at each layer. You’ll have more opportunities to detect malware, and then stop it before it causes real harm to your organization. You should assume that some malware will infiltrate your organization, so you can take steps to limit the impact this would cause, and speed up your response.
Getting Help – Helping Yourself
Interpol has collaborated on the creation of a central repository website for unlocking Ransomware at: www.nomoreransom.org
The battle is over for these ransomware threats. If you have been infected with one of these types of ransomware click on the link under its name and it will lead you to a decryption tool.
Tip 1: Make Regular Backups
The key action to take to mitigate ransomware is to ensure that you have up-to-date backups of important files; if so, you will be able to recover your data without having to pay a ransom.
Make regular backups of your most important files – it will be different for every organization – and check that you know how to restore the files from the backup.
Ensure that a backup is kept separate from your network (‘offline’), or in a cloud service designed for this purpose – our blog on offline backups in an online world provides useful additional advice for organizations.
Cloud syncing services (like Dropbox, OneDrive and SharePoint, or Google Drive) should not be used as your only backup. This is because they may automatically synchronize immediately after your files have been ‘ransomwared’, and then you’ll lose your synchronized copies as well.
Make sure the device containing your backup (such as an external hard drive or a USB stick) is not permanently connected to your network and that you ideally have multiple copies. An attacker may choose to launch a ransomware attack when they know that the storage containing the backups is connected.
Tip 2: Prevent Malware From Being Delivered To Devices
You can reduce the likelihood of malicious content reaching your network through a combination of:
- filtering to only allow file types you would expect to receive
- blocking websites that are known to be malicious
- actively inspecting content
- using signatures to block known malicious code
These are typically done by network services rather than users’ devices. Examples include:
- mail filtering (in combination with spam filtering) which can block malicious emails and remove executable attachments
- intercepting proxies, which block known-malicious websites
- internet security gateways, which can inspect content in certain protocols (including some encrypted protocols) for known malware
- safe browsing lists within your web browsers which can prevent access to sites known to be hosting malicious content
Public sector organizations are encouraged to subscribe to the NCSC Protective DNS or similar services; this will prevent users from reaching known malicious sites.
Some ransomware attacks are deployed by attackers who have gained access to networks through remote access software like RDP. You should prevent attackers from being able to brute-force access to your networks through this (or similar) software by either:
- authenticating using Multi-Factor Authentication (MFA)
- ensuring users have first connected through a VPN that meets our recommendations.
Tip 3: Prevent Malware From Running On Devices
A ‘defense in depth’ approach assumes that malware will reach your devices. You should, therefore, take steps to prevent malware from running. The steps required will vary for each device type and OS, but in general, you should look to use device-level security features such as:
Centrally manage enterprise devices in order to either:
- only permit applications trusted by the enterprise to run on devices using technologies including AppLocker, or
- only permit the running of applications from trusted app stores (or other trusted locations)
Consider whether enterprise antivirus or anti-malware products are necessary, and keep the software (and its definition files) up to date.
Provide security education and awareness training to your people.
Disable or constrain macros in productivity suites, which means:
- disabling (or constraining) other scripting environments (e.g. PowerShell)
- disabling autorun for mounted media (prevent the use of removable media if it is not needed)
- protect your systems from malicious Microsoft Office macros
In addition, attackers can force their code to execute by exploiting vulnerabilities in the device. Prevent this by keeping devices well-configured and up to date. We recommend that you:
- install security updates as soon as they become available in order to fix exploitable bugs in your products.
- enable automatic updates for operating systems, applications, and firmware if you can
- use the latest versions of operating systems and applications to take advantage of the latest security features
- configure host-based and network firewalls, disallowing inbound connections by default
Tip 4: Limit The Impact Of Infection And Enable Rapid Response
If put in place, the following steps will ensure your incident responders can help your organization to recover quickly.
- Help prevent malware from spreading across your organization by preventing lateral movement. This will help because attackers aim to move across machines on the network. This might include targeting authentication credentials or perhaps abusing built-in tools.
- Use two-factor authentication (also known as 2FA) to authenticate users so that if malware steals credentials they can’t be reused.
- Ensure obsolete platforms (OS and apps) are properly segregated from the rest of the network.
- Regularly review and remove user permissions that are no longer required, to limit malware’s ability to spread. Malware can only spread to places on your network that infected users’ accounts have access to.
- System Administrators should avoid using their administrator accounts for email and web browsing, to avoid malware being able to run with their high levels of system privilege.
- Architect your network so that management interfaces are minimally exposed (our blog post on protecting management interfaces may help).
- Practice good asset management, including keeping track of which versions of the software are installed on your devices so that you can target security updates quickly if you need to.
- Keep your infrastructure patched, just as you keep your devices patched and prioritize devices performing a security-related function on your network (such as firewalls), and anything on your network boundary.
- Develop an incident response plan and exercise it.
Steps to take if your organization is already infected
If your organization has already been infected with malware, these steps may help limit the impact of the infection.
- Immediately disconnect the infected computers, laptops, or tablets from all network connections, whether wired, wireless or mobile phone-based.
- Consider whether turning off your Wi-Fi and disabling any core network connections (including switches) might be necessary in a very serious case.
- Reset credentials including passwords (especially for administrators) – but verify that you are not locking yourself out of systems that are needed for recovery.
- Safely wipe the infected devices and reinstall the operating system.
- Before you restore from a backup, verify that it is free from malware and ransomware. You should only restore from a backup if you are very confident that the backup is clean.
- Connect devices to a clean network in order to download, install, and update the operating system and all other software.
- Install, update, and run antivirus software.
- Reconnect to your network.
- Monitor network traffic and run antivirus scans to identify if any infection remains.
Note: Files encrypted by most ransomware have no way of being decrypted by anyone other than the attacker. Don’t waste your time or money on services that promise to do it. In some cases, security professionals have produced tools that can decrypt files due to weaknesses in the malware (which may be able to recover some data), but you should take precautions before running unknown tools on your devices.
IN THE UNITED KINGDOM
- The National Crime Agency encourages anyone who thinks they may have been subject to online fraud to contact Action Fraud at https://www.actionfraud.police.uk.
- The National Cyber Security Centre (NCSC) runs a commercial scheme called Cyber Incident Response, where certified companies provide crisis support to affected organizations.
- The Cyber Security Information Sharing Partnership (CiSP) offers organizations in the UK a safe portal in which to discuss and share intelligence that can assist the community and raise the UK’s cyber resilience. We encourage our members to share technical information and indicators of compromise so that the effects of new malware, and particularly ransomware, can be largely reduced.
- You may also wish to consider the Cyber Essentials certification scheme (which covers a number of these mitigations) so your customers and partners can see that you have addressed these risks. Many of these mitigations also work well against other types of attacks, such as phishing.
- Consider following the NCSC guidance on protecting your organization from phishing attacks.
- Learn more here: https://www.ncsc.gov.uk/guidance/mitigating-malware-and-ransomware-attacks
IN THE UNITED STATES
- Contact your local FBI office immediately to report the ransomware attack and follow their guidance.
- If you are able to recover be sure to report the ransomware attack on the FBI’s www.IC3.gov