Image credit: SkillUp/Shutterstock.com

How to protect your organization from the growing threat of ransomware attacks

At my previous job as a solo sysadmin in a growing SaaS company, two things regularly kept me up at night: first, that the servers are going to crash, and second, that we’re going to get hacked.

With our datacentre humming away at five 9s worth of uptime, I shifted focus to Cover My Ass (rather, my company’s) against a looming threat — that of ransomware.

A spate of cryptolocker attacks have been afflicting organizations and making the news lately. Commonly publicized victims include local municipalities and hospitals, but the truth is that all organizations are at risk, regardless of space or sector. SMBs are especially vulnerable as they can often be resource-limited, and a single security incident, if unprepared for, can potentially mean the end of a company.

In this post, I’ll explain how to prepare for such attacks and recover from them, so you can sleep soundly if this topic happens to fall under your purview. If you aren’t a member of the IT team, I’ll do my best to inform you of the subject and provide you with a checklist to run by those who are responsible, to ensure your organization is doing the things it should to protect itself and prepare for the worst.

Doomsday prepping

A failure of technology, combined with a single ill-informed user clicking on a malicious link or attachment can have catastrophic consequences for an organization. Since we know that both software and its creators are flawed, we must be vigilant in mitigating those threats.

As always, the first step is to get informed (what you’re doing right now), second is preventing the attacks, and then finally making preparations for the unfortunate case of when they’re successful.

Prevention

Train your users

Who doesn’t love an all-hands meeting? There’s free sandwiches, coffee, and you get to spend an hour daydreaming about what your life could have been if only you’d followed your dreams. This, plus mandatory readings may be a fair starting point, but there are more modern and effective approaches:

1. Have some fun and see if you can get your users to fall for phishing emails you send yourself! You could do this manually by setting up an email on a generic domain imitating management or IT, and seeing if you can get a hit. Or even easier, use a tool to help do this for you like Gophish (open source).
2. Pay an organization to perform the above for you. I’ve never done this, so I don’t have any recommendations for who to use — but there are a lot of options out there. This may be easier if you’re part of a large organization who has the budget for it, or a small organization lacking the know-how to do it in-house.
3. And while you’re at it, make sure to cover the topic of CEO Fraud with your staff, which also seems to be gaining popularity among attackers.

It’s that easy! Whenever you hook a user, tactfully contact them about it, provide further training as needed, and then make a note to test them again after a few months. Before you know it, your whole company will be too paranoid to open Janet’s holiday photo collection because it’s coming from her non-work email address, and nobody wants another talking-to from the nerds in IT.

Technical support

Leverage the tools that are out there to help stop your organization from falling victim to hackers:

1. Making proper use (ie. monitored and updated) of a solid antivirus product with a proven track record for stopping cryptolocker attacks, including previously unidentified ones (via strong heuristics). My personal favourite is ESET, which was able to protect users from WannaCry as it emerged. Despite what some say, Windows Defender doesn’t cut it a lot of the time.
2. Consider using a hosted email solution (if you aren’t already). Not only does it save you the headache of running an internal mail system, but the power of their anti-spam and anti-phishing tech running at scale just can’t be emulated at an organizational level. Take it from someone who was once responsible for running a mail server, tweaking rules, managing blacklists, and trying to train users to flag spam — it isn’t worth it. Switching to G Suite changed my life, and I was constantly impressed by the cleverness of their mail filters and inline “this message is suspicious” warnings.

Preparation

Make sure your company is doing the necessary but oh-so-often-neglected items required to provide organizational security in a general sense, to ensure you’re prepared for a lapse in your defences:

1. Routinely apply security patches, including host software for applications like Office and whatever PDF reader you use. Hackers don’t have to trick users into directly running a malicious program (although they often do), simply accessing a resource such as a document or webpage with an insecure piece of software can be enough.
2. Verified 3–2–1 backups are a must! Imagine if the live versions of the data on your hosts, network shares, and databases was lost — be it from a ransomware attack or some kind of system failure. Would you be able to recover? How quickly? Have you verified your backups and tested the recovery process lately? In addition to standard backups, offsite and offline backups are needed to protect your organization, and they don’t count unless you’ve confirmed they’re working and practiced your disaster recovery scenarios.
3. Don’t (exclusively) trust the Cloud. Regarding the above point, if all your data is in the Cloud, don’t simply trust your provider to “take care of it” for you, even if you’re subscribing to backup services. Hackers have been known to lock victims out of accounts, remove Cloud VMs, snapshots, and backups, then hold the exfiltrated data and machines for ransom. You should have a regularly updated (and offline) version of your hosted data, which is also prudent in case your Cloud accounts get suspended or terminated — not unheard of given they’re subject to imperfect algorithmic scrutiny (looking for “suspicious” behaviour), arcane “terms of service” agreements, and Orwellian customer support systems. Oh yeah, also make sure you’re using 2FA on anything sensitive as well (duh).
4. Logging. In case you do get breached, the first step will be to track down the source of the compromise, as well as any impacted systems on the network. Having centralized logs (on a hardened system) will make your life much easier. Host-based logging isn’t enough, given an attacker’s ability to wipe them out. While you’re at it, make a habit of reviewing the logs manually for anomalies — this may help you detect if you’re being targeted or have been compromised and not yet realized it.

An easy way to do all this is via a repeating calendar reminder, and Google Sheet (or the like) to track the results. It should be somebody’s job to maintain the systems and backups, and somebody else’s job to make sure that that work is being done. Setting aside time and delegating clear responsibilities helps stop these crucial tasks from slipping through the cracks.

When it happens

Don’t Panic! If you’ve prepared properly, you’ll be able to handle this. And if you haven’t, or a system/process has failed, hope is not yet lost.

Recovery

I’ll cover this briefly given that there is a lot of literature out there on the subject:

1. Respond to the incident appropriately by isolating impacted hosts, then use your logging system to track down the source of infection (because if you don’t do this first, you’ll just get infected again) and address the issue.
2. Identify the impacted data and begin your disaster recovery process by restoring backups as needed — err on the side of caution and restore anything you think that could possibly have been hit (to stop a potential second wave of infection).
3. Verify you’re back up and running, and then deal with the fallout; be prepared for a lot of uncomfortable meetings. Also be prepared to calmly explain how your process “worked”, that you were able to recover, and thanks to your genius, you didn’t have to pay the ransom. Thank me come performance review season.

Obviously, this is a simplification, and incidents have to be handled on a case-by-case basis. There are many firms that specialize in incident response, and bringing one in can help you with the process. Consider researching your options ahead of time and setting up a relationship, so you’ve got someone on speed dial if they’re ever needed.

When all else fails, or if it’s too late

Many victims have been paying out ransoms, surprisingly at the advice of experts. As it turns out, reputation still means something even on the Dark Web, and a lot of organizations are able to bite the bullet and get their data back (and even negotiate on price). If you’re in a situation like this, call in the experts who handle this kind of incident response.

It’s also worth mentioning that “Cyber Insurance” is in vogue right now and purportedly can help mitigate the related costs and fallout (even to the point of reimbursing ransom payouts). As someone who has filled out several related insurance forms, I must say that I’m skeptical about how likely you may be to actually get that money. To me, they seem to be worded in a way (by asking nebulous questions about your security practices) that if you do fall victim, a claim may be denied due to “negligence”, given that a breach did occur and there is a de-facto failure in your security somewhere (with a finger pointing your direction), therefore it’s your fault, so no payout. Thankfully I’ve never had to file a claim, so for now at least, this is speculation and paranoia on the author’s behalf.

Feel better?

These types of attacks have been growing in frequency. The anonymous nature of cryptocurrency and historical successes of hackers getting payouts means that the trend is going to continue. It’s now on you to make sure you’re ready for this unfortunate future. Protect your data, train your staff, and prepare for the worst. Time to batten down the firewalls!

The easiest way to tell if you’re properly covered is to ask yourself this: if our datacentre is physically destroyed, and/or our Cloud data is completely lost, could we recover? If the answer is yes, then good job! You’re prepared for a ransomware attack, in addition to many other threats to the digital aspects of your organization. Hopefully you can now sleep better at night!