Ransomware Epidemic Demystified
Recent news from the cyber world continues reporting a rise in ransomware attacks. This is obviously due to increased media awareness, but we can confirm that Digital Edge has already doubled the number of requests for our CyberSecurity Incident Response Team remediation for new customers or other MSPs in YTD 2019 versus all of 2018.
Clearly an alarming trend, which has become part of our daily routine. As a result, we wish to demystify these and provide a simple break down of events/steps involved. Our Advanced Support Specialist, Vlad Vaulin, whose team has worked on these, was able to define and provide the overall scope of these attacks, what we found in the course of recovery, as well as his professional advice to avoid them.
What happens during a Ransomware Attack?
After logging in to your system, you may suddenly find the usual processes not working and files may have been renamed. A ransomware attack may be underway, with its virus component changing file names and encrypting all accessible files, especially shared files. Usually the attack will then announce itself with a popup offering to unencrypt and return the files undamaged in return for a specified demand for money or cryptocurrency.
This differs from a malware attack which tries to corrupt or compromise your system’s integrity unannounced, versus the ransomware attack asking for money to “fix the virus”. Malware attacks could provide access to your system’s resources to spy and collect confidential information, delete files or damage system functionality, potentially rendering the servers inoperable. Otherwise, installing botnets allowing them to continue the attack at will and as programmed.
While different, malware and ransomware attacks can be part of the same attack. For example, a hacker can get in using malware and then kick off a ransomware attack through the obtained access.
The main issue with ransomware attacks: Since you cannot unencrypt the files, your data is lost until the hacker group provides the key to unencrypt the files.
How does this happen?
One exploitation is through unpatched publicly accessible web systems or sites. Application injections, for example through WordPress, is a common entry point. A hacker easily penetrates an open unpatched web application enabling the injection of malicious code to exploit your systems’ resources (servers, etc.) and data at will when ready (weaponized).
The other popular alternative is via an email attachment opened by someone on their computer or inside a terminal server. When the malicious software weaponizes, it will exploit (steal), infect (corrupt/delete) or encrypt anything it can get access to.
Companies have tried to come up with ways to contain the ransomware attacks, i.e if they see more than 10 file changes in a 10 second period, to kill whatever is causing it. However, these don’t guarantee protection.
In most case scenarios, the company doesn’t keep up with proper updates or maintenance resulting in unpatched servers.
From Our Experience:
A client had a terminal server where users connect remotely and they didn’t have their system patched. A hacker was able to exploit it, got access to the system and kicked off a ransomware attack. Since the client didn’t have proper security, the hacker had access to everything available. It affected the client’s file shares, encrypting everyone’s documents.
We also saw infection examples through remote execution vulnerabilities in web-based software. In most cases, the infection propagates because operating systems and antiviruses were outdated.
When it comes to recoveries, we noticed that in many cases companies may have adequate backup policies however, they are lacking fast, comprehensive, and uniform backups (speed). Even though a company has a backup policy in place, the speed of recovery is not sufficient to recover them after a typically fast and pervasive ransomware attack. Backup policies and procedures are normally designed to recover single/individual devices, such as failing servers. However, during a ransomware attack, massive recovery has to happen simultaneously and our team sees lack of recovery speed. In other words, pre-existing processes and procedures prevent a fast recovery.
Digital Edge assists with assessing the hack by determining how it got onto the system. The cleanup process includes ensuring the infected box is offline, inspecting nothing else has spread, and working on restoring data. We also offer advice on how to prevent a ransomware attack from happening again and locking down file share permissions.
- BACKUP BACKUP BACKUP- if files get encrypted, you cannot restore them. Make sure backups are UP TO DATE. We recommended to do them DAILY at minimum if not more frequently. The amount of times you do backups depends on how often you update data and how sensitive the data is.
- OS patching and Antivirus updates must be done regularly.
- Security practices- Penetration Testing allows you to see what isn’t patched. Make sure you aren’t running out dated or unpatched servers. Anything that is public facing should be super locked down.
- User awareness and training- DO NOT open random emails and attachments. Training is useful to provide awareness to different ways someone can be attacked as well as preventative actions someone can take.
- Testing your backup recovery policies and procedures- this includes access, encryption keys and speed. In many cases, you should consider to review and possibly redesign your backup recovery processes and procedures.
“You can’t run a terminal server without some kind of endpoint protection. If a company doesn’t have backups of data, and gets a ransomware attack, it is considered lost unless the company pays ransom money. However, this is not suggested because it re-enforces the idea of ransomware attacks and it doesn’t guarantee they’ll give you anything.”
-Vlad Vaulin, Advanced Support Specialist, Digital Edge
What Digital Edge Can Offer You:
We stress the importance of monitoring patching and updating processes – systems must be up to date, Penetration Testing- both internal and external, monitoring for security alerts. We need to see what is secure and what is unsecure. These are suggested on a monthly basis, especially if you’re adding or changing things. Even if not, you have to maintain your existing systems. New exploits could come out and even if last month there weren’t any vulnerabilities, it doesn’t mean this month you’re safe. If you’re not aware of what vulnerabilities you have, how are you going to fix them? The test would pick up these vulnerabilities so we can patch them.
Digital Edge offers packages including Security Operations, CyberSecurity Monitoring, and vulnerability scans as well as addressing any issues that might arise from the scans.
Digital Edge is available to help organizations in the case of a CyberSecurity crisis.