Ransomware: Prepare for emergencies
Cyber Threat
Ransomware was regularly responsible for the failure of large and critical infrastructures in 2020. Protection against ransomware Trojans once again, or still, has to be the focus of IT security this year. Unfortunately, no panacea is yet in sight, but some security approaches are always worth testing.
The 2020 publicly known attacks with ransomware mainly relied on encryption Trojans. Although the perception was that mostly public institutions were affected, the number of companies affected also increased significantly. The sad highlight of an attack against University Hospital Düsseldorf was the death of an emergency patient who could not be admitted and could only be treated an hour later in a distant hospital.
Blackfog [1] has compiled the publicly known ransomware incidents in different sectors. Most affected were manufacturing, services, and government. The figures are from the first to third quarters of 2020, with the United States accounting for more than half of all cases. Overall, a significantly larger number of unreported cases can be assumed.
The great financial risk that ransomware poses to companies can be seen from the estimated damage of more than $20 billion in 2021 [2]. In individual cases, a successful ransomware attack can permanently cripple an entire company and even ruin it, making it important to detect an ongoing ransomware attack as soon as possible.
Insidious Blackmailers
Blackmail Trojans prevent the use of a computer under a pretext and demand a ransom to release the computer. The modern variants on blackmail Trojans more typically have to do with undesirable encryption.
The malware can enter your infrastructure in different ways: attached to emails, in manipulated downloads, or on USB sticks that employees bring into a company. Once successfully embedded on a system, ransomware often does not become active directly. Instead, it first looks at common IT processes, existing network drives, and temporarily mounted backup media.
At the right moment – preferably when the network drive is mounted, the connection to the backup medium is active, and the logged in user is expected to be absent for a period of time – the ransomware starts encrypting user files. After encryption, the original data is destroyed. In case of large files, some variants of the malware encrypt only the first few (hundred) megabytes, which is often enough to render the files unusable. Occasionally, however, it also makes it possible to recover at least fragments of data. Although the first ransomware variants used classic passwords for encryption, current versions are based on public key cryptography. The private key is in the hands of the attacker, and it is virtually impossible to recover the data without it.
Recently, attackers have upped their game. Because many organizations seem to be able to restore encrypted data through backups, criminals are now stealing the data with their ransomware. If a victim fails to pay, the files not only remain encrypted, but also end up on the darknet, available to anyone willing to buy them. If the data includes confidential or secret documents, the affected company is in trouble despite the availability of data backups.
Preventing Infection
No complete protection shields you against ransomware attacks. As a preventive measure, employees should not open any attachments from unknown senders. Recipients of such email messages should check the sender information provided and, if in doubt, ask the sender personally whether the file is legitimate.
Macros currently represent a very significant gateway for malware. This active content in Office documents serves as an initial downloader that retrieves and launches the malware. Wherever possible, disable macros in your company and regularly alert employees to the dangers.
Additionally, you can use group policies to prevent the installation of unsigned software on workstations and servers and lock out USB storage devices. Ideally, you should also seal the USB ports on the computers themselves to prevent the connection of manipulated USB devices. You can try for yourself what is possible with such USB devices: The "USB Rubber Ducky" [3] offered by Hak5 looks like a USB stick, but it is also a keyboard and can be used to execute more-or-less arbitrary code.
Even if the horse has already bolted, you still have the chance to react and prevent greater damage. One possibility is to operate honeypots with a spoof file server that you mount on each of your systems or that is automatically mounted at regular intervals.
The files there should be common files from your company, but not ones that users work on. Monitor changes and react quickly if the files in this honeypot change. Remove the culprit from the network as quickly as possible, ideally automatically. Depending on the network hardware used, you can easily do this by triggering appropriate actions in your monitoring.
Another alternative is to audit file changes. You can use Windows on-board tools or, for example, commercial software such as FileAudit [4], a tool that lets you write scripts to define immediate reactions to undesirable access attempts. You can find examples of this directly in a post by the developers [5].
Check Backups
If your employees cannot prevent an attacker from infiltrating your system and encrypting important files, the only thing that can help you in the end is a sophisticated backup strategy. The malware itself must not gain access to the backup, which means the backup system has access to the individual workstations and servers, but not vice versa.
Above all, you must prevent users from modifying or deleting their own backups. The U.S. Computer Emergency Readiness Team (US-CERT), for example, recommends the 3-2-1 backup principle [6]: three copies of the data, one production copy, and two backups, divided between two different media (e.g., hard drives and tapes), one of which is stored in a different location.
Different variations of this concept exist: The 3-1-2 concept states that the two backups can be in different remote locations, but on the same medium, and 3-2-3 requires two different media for storage at three different locations.
Whatever strategy you choose, under no circumstances should the malware be able to delete backups, nor should the encrypted data overwrite all readable data in the medium term. Especially during the vacation season or between Christmas and New Year, make sure your backups are intact. You can also automate this process by regularly checking defined files and integrating them into your monitoring.
To prevent the parallel outflow of data by ransomware, or at least to make it is more difficult, access to confidential data in the company must be limited as much as possible, regardless of the threat posed by ransomware.
Additionally, the data should only be stored in encrypted form and only decrypted temporarily for direct use by an authorized account. Last but not least, you or the management must implement appropriate procedures in the event of a data leak and prepare for H-hour.
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Most Popular
Support Our Work
ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.