The story, at this point, is getting kind of old.
More importantly, the advice on how to protect your organization is even older.
I did some “masterful” searching on the web for some older virus variants that I remember responding to, sadly over ten years ago, and found some interesting advice from the folks at CERT and NIST that, basically, is the foundation for my advice regarding ransomware today. Hiding your head in the sand isn’t an option. So, let’s take a look at some actual steps to protect your organization.
Ransomware is a malicious software infection that typically encrypts data on a system and then asks you to pay a ransom to have your files decrypted. The sophistication of ransomware has evolved and matured over the past couple of years, and the development cycle has gotten shorter. But we are not concerned with the “who, why, or how”. We have the obligation to protect the confidentiality and integrity of data and keep things up and running.
There are some things that we can do to prevent a ransomware attack from succeeding, or at a minimum from holding our data hostage.
Plan and Protect
Take the time to identify what keeps you in business from an IT perspective, and focus your efforts there first. Make sure that you have implemented a complete Vulnerability Management Process. At a minimum, ensure that you are keeping up with patches, have endpoint protection in place, and have hardened systems to reduce the attack surface as much as possible.
If ransomware is your primary concern, you may want to leverage some outside help. I have recently been able to use a service from OpenDNS that can give an organization the ability to implement preventative measures to get out ahead of a malware incident. I am impressed with the speed and ease that the tool can be implemented with, coupled with what I consider to be a big step up in the level of protection that is achieved once it is in place. We are talking minutes to hours to implement, not days or weeks.
Users and IT staff both need to have some awareness training. Users should be instructed to carefully consider what types of email attachments and links should be opened or clicked on. As I type this, I am reminded of the fact that this has been the same guidance for the past twenty years or so. But I suspect that, while the advice is the same, there are new users to educate.
Let’s also make sure that system administrators are not using servers for general use computing like browsing the internet and reading email. While this may seem obvious, it’s a good time to remind them.
Respond and Recover
These are the areas where you really need to put your work in ahead of time.
In the past few weeks I have had customers call for assistance with ransomware. The first question I have is, “Do you have backups?” For those that respond with “No”, you can hear the implied, “I know. I should have been backing up these systems all along. And now my files are encrypted.” in their voice.
I don’t give advice whether to pay the ransom or not. That is a decision that senior management should make. As far as I can tell, most people that do pay get their files back, but there are ethical issues that I would prefer to stay out of.
Fortunately for us, we have thirty days, like the title of this article says. So, let’s think about how to plan our response and recovery.
First things first, let’s get those systems backed up. And, also, let’s make sure that we can restore to an acceptable state, and that could be just the file level or a complete restore of the system. Let’s also make sure that the backup system is not vulnerable to a potential ransomware attack. Nothing like encrypted backups to thwart our efforts.
We need a good incident response plan. Have one and test it out, and make changes where gaps are identified. Find out if your organization has the ability to identify and respond to security events before they occur. Take the time to conduct at least a tabletop exercise. At a minimum it will get all parties needed for the response together to collaborate, and, ideally, give your organization a better sense of the ability to respond to a security incident.
The above advice is not much different than what has been circulated on the internet in recent weeks and months. I will add few things that I have seen personally that should also be taken into consideration.
Mapped files and folders – Ransomware variants will encrypt local disks and mapped drives as well. You should review the use of mapped drives and the file and folder permissions given to users. Users should have the minimum amount of access that still allows the business to operate.
Critical data stored on workstations – While this might seem obvious, if a user keeps critical data such as financial information to perform analysis on it, it should not be the only copy and should be backed up regularly.
Try to identify the root cause – Ransomware typically infects a system through malicious web content or a malicious file or attachment, and usually does not propagate through the environment. If you have a lot of systems being affected by the same variant, chances are users are opening the same attachment or file, or are viewing the same web site and getting infected. Find out what is causing the infection, which may require some people skills, in addition to solid technical skills.
I believe that a good security program can be attained by organizations of all sizes, and when done well, prepare us for many security events. While the above is not a comprehensive approach to IT Security and Risk Management, it is a good starting point for anticipating and responding to a malware or ransomware event.
You have thirty days to get ready. Let us know how it works out.