Trusted Internet Blog

Thoughts, Guidance, Musings

A Ransomware Playbook. Ransomware can be prevented.

Posted by Jeff Stutzman, Chief Information Security Officer | Dec 30, 2018 2:43:45 PM

About a year ago, I helped pay out a ransomware case, which at that time was one of the largest of its kind  .. Why? Because the company HAD to.  They were completely unable to conduct any business unless they did.  How were they completely locked down? Thats a different conversation, but the lessons learned might help you today.

Over the weekend, the Ryuk ransomware strain was reported by ZDNet as the suspect malware in a cyber attack that caused printing and delivery disruptions for several major US newspapers over the weekend, Los Angeles Times and San Diego Union Tribune., the West Coast editions of the Wall Street Journal and New York Times, which are printed at the Los Angeles Times’ Olympic printing plant in downtown Los Angeles. 

As ransomware becomes the weapon of choice, here are a few things you can do to make sure you don't find yourself in a shutdown, faced with paying out one of these monster ransoms.

How do you simultaneously recover from your current situation, maintain operations, and figure out how to harden going forward so that you won't be reinfected in the future? This happens fast. You'll need to be organized and move quickly and efficiently. It sounds like a lot, but to an experienced IT team will have no problem executing the solution:

What is Ransomware?

Ransomware is a type of malicious software that threatens to publish the victim's data, encrypt, or perpetually block access to it unless a ransom is paid. shutterstock_1261099645-1

How Did I Get Infected?

Ransomware can be delivered in a number of ways, but the most common is as an infected file attached to an email.  
Email attachments aren’t the only mechanism for infection.

  • Drive-by downloading is a common tactic to deliver all kinds of malware. This occurs when a user visits an infected website and malware is downloaded and installed without the user’s knowledge.
  • It can be delivered through through social media, gaming and web-based instant messaging applications.
  • Web servers have been exploited to gain access into an organization’s network.
  • In the case of our six figure payout, it was spread through an automated backup system. 

What If You Get Infected?

Hopefully, you have a recent backup and you can simply wipe your device and reload it from one that's uninfected. If so, remove yourself from the Internet, clean the machines if possible, and restore from good backups.

  • Use common sense before spending a ton of money in your moment of crisis.  Every security vendor, and several non-security vendors will likely call you. As Tip Oneal used to say, never let a good crisis go to waste... and they won't. In my case, the sales pitches were not subtle. We recommend a strong endpoint solution, a solid network solution, and DNS monitoring as a minimum. The DNS monitoring will help prevent outbound calls to external domains associated with the ransomware. The UTM can monitor and protect at the network layer, and the endpoint solution will stop known rogue processes from continuing --including we found out, the decryption process! There are a whole host of options, but if you need troubleshooting tools fast, this is my recommended suite.
  • Remove any public facing password-only (or heaven forbid, non-credentialed or anonymous access) to your network
  • Seek good threat intelligence. In my case, we reverse engineered the ransomware package to best understand how it may have entered, correlated the strain with it's lineage, and closed off the most likely entry points. We had prior knowledge of the techniques employed, but were brought in a few days after the event. Using an endpoint tool, we began a search for indicators of compromise across the environment, isolating encrypted machines.
  • We used patterns in the polymorphic file names to identify installed directories that were being used to launch reinfections --and stopped those processes from running using the endpoint system.
  • The entire time, we scoured intelligence looking for decryption keys --which, it turns out, did not exist; and now several days into the event, it was time to pony up some bitcoin.
  • We did report to the FBI under attorney client privilege, but did not ask for their assistance. We waited until we made a business decision on how we'd go forward, and then informed them of our decision, how we came to it, and our plan. This gave us top cover in the event something went sideways. 
  • We do recommend reporting the crime to someone. Your local police department likely won't help you much, but you can submit a report to the Department of Homeland Security's US-CERT, the FBI, or the Internet Cyber Crime Center.  If you're not comfortable doing this, hire an attorney who can navigate these waters confidentially. We (Trusted Internet and our Intel Shop, Wapack Labs) have two that we use, and can refer them if needed.
  • Do not rely on your own IT staff to help you recover from a ransomware event. They may be the best on the planet, but when you have a 72 hour window for paying a ransom or losing your business, time is money. Many security vendors (like us) have experts on staff that can provide you with advice on how to respond should your system become infected with ransomware.  There are also third-party forensics experts who can help you get back up and running. 
  • Pay or not to pay. This is a hard and personal choice.
  • Last, harden your networks and be prepared. There is a strong likelihood that you'll be re-attacked/reinfected. You'll want to be ready.

What Can I do I to Prevent It?

Here are a THREE THINGS that you need to do to protect yourself and your organization from the effects of ransomware

1. Back up your systems regularly. Automated systems work well, but be sure to create offline backups to routinely. 

Automated backup systems are wonderful things. Set it and forget it; but... when your backups become encrypted or blocked you will have nothing to restore from. What do you do? You restore from that offline backup system I mentioned. How far back can you afford to go back to restore from a good, clean copy?

2. Use professional tools to analyze and protect you from malicious email attachments, websites, and files.

Trusted Internet recommends, deploys and manages remotely, Unified Threat Management (UTM) devices. These are also sometimes referred to as Next Generation Firewalls. UTM's include a combination of tools (intrusion prevention systems, antivirus, anti-malware, etc.) that when used in concert can help stop many of the things that can hurt you.  When used properly, they can block potentially harmful websites, advertisements, and social media sites, and, much of the ransomware.

Here's a buying tip: If you can't load your own intelligence into the UTM, don't buy it! If you don't know how (or don't have the manpower), outsource this. It's important and doesn't have to be crazy expensive. You'll want to be able to do this going forward, and many vendors simply don't offer this as an option. 

For small companies, we recommend either fully automated patches and updates, or, have someone (like us) do it for you. There are a number of options. 

3. Harden your networks and be prepared.  Consider a standard architecture and protection model going forward.

There are several to choose from but our model is fairly straight forward and inexpensive to instrument: 

  • Segment your network into security zones, so that an infection in one area cannot easily spread to another. In the Navy we called it 'water tight integrity'. Every compartment had a door that could be closed to keep a flood from spreading from one space to another, isolating the issue and thus keeping the ship afloat. Networks work the same way.
  • A UTM on the network, separating everyone in the organization from the Internet.
  • Virtual Private Networks for travelers, all terminating at the UTM.
  • An endpoint client that allows protection and the ability to troubleshoot remotely.
  • Use DNS filtering - OpenDNS, Umbrella, or one of the other options.
  • Use 24x7x365 monitoring and intelligence provided by a professional staff. These services are inexpensive and can save your company.
  • If you don't have a professional CISO onstaff, hire a virtual CISO. CIOs and IT Directors are charged with keeping computing running. CISOs are charged with keeping them safe --often times contradictory positions. 

Need help? Contact us today. 

Contact Us

 

Topics: Wapack Labs, Cyber, Network Security, Information Security, New Hampshire, News, ceo, ransomware

Written by Jeff Stutzman, Chief Information Security Officer

Jeff Stutzman Chief Intelligence Officer, Wapack Labs Chief Information Security Officer, Trusted Internet Wapack Labs is a private cyber intelligence organization that performs research, analysis, and intelligence operations. The Lab authors cyber threat intelligence and analysis for the global memberships of the Red Sky Alliance, the Financial Services ISAC and the Maritime and Port Security ISAO. Prior to Wapack Labs, Mr. Stutzman served as a Director at the DoD Cyber Crime Center (DC3). Mr. Stutzman has ‘boots on the ground’ experience in more than two dozen high-risk cyber threat areas including China, Brazil, the Middle East, and South America. Mr. Stutzman has held operational and senior positions with Cisco Systems, Northrop Grumman, Carnegie Mellon University, the DoD Cyber Crime Center and is a former Navy Intelligence Officer. He has been cited in the Wall Street Journal, Wired Magazine, NH Public Radio, and numerous trade publications. He holds a BS from Excelsior College, an MBA from Worcester Polytechnic Institute, and is a Harvard Kennedy School Senior Executive Fellow.