May 15, 2017
How to Survive as a Small- to Medium-Sized Business
Author: Matt Bromiley, Kroll
What Is a Ransomware Attack?
Last week’s extensive ransomware attack continues to cause issues worldwide and shows how any size business in any industry is vulnerable. Ransomware can be particularly troublesome for small- to medium-sized businesses that typically do not have the full range of IT resources readily available to combat such attacks or to respond to such criminal demands.
Ransomware is a type of malware; once executed on a computer system, it seeks to encrypt a wide range of files, denying the user access, and effectively holding these files “hostage” in return for a monetary payment – a ransom. The malware encrypts targeted files with a password unknown to the user and leaves a ransom note on the infected system(s) that demands a payment to get files decrypted. Attackers demand payments in bitcoins (a form of electronic currency), which allows for anonymity.
Perpetrators take advantage of myriad methods to deploy ransomware on targeted networks, including:
- Social engineering schemes, such as phishing.
- Exploitable third-party applications, such as Adobe Flash/Shockwave or Microsoft Office.
- Systems with remote access capabilities exposed to the network.
- Moving laterally between systems – attackers have become skilled at moving through intranets and connected systems to spread ransomware from one to many.
- Looking for drive letters that may resemble file shares, thereby causing damage to the entire organization by gaining access to only one machine.
If You Get Breached
Ransomware is a highly successful and profitable criminal operation. The FBI reported that the first three months of 2016 alone yielded close to $209 million in ransomware-related monetary losses. As much as an organization can prepare, attackers are very persistent and ransomware may still find a way in. Here are some thoughts on how to respond to a ransomware breach:
- Disconnect infected systems from the company network and the internet as fast as you can. Remember to disable wireless!
- Try to determine how the ransomware attack may have happened. Did the user(s) click a suspicious email, or browse to a suspicious site? If discovered, educate the other users at your organization about the threat so that they do not repeat the same mistake.
- Research ransomware to determine if a decryption method is available. There are hundreds of ransomware families, and many information security vendors and researchers work hard to find and make decryption techniques available. Search for the name of the ransomware or the file extensions. You might be able to decrypt the files yourself.
If the problem is larger than the organization can handle, then you may need to reach out and request third-party help. This may require involving legal counsel or hiring third-party investigators. Additionally, your organization may have cyber insurance that can assist in the cost of responding to a ransomware breach.
How to Respond to Attackers
Once a ransomware breach has occurred, many organizations want to end the pain as soon as possible. The organization has suffered through hours or days of inaccessible data and constant, nagging emails. Paying the ransom may seem like an easy fix – in fact, many attackers these days are demanding ransoms just low enough that it does not seem like an insurmountable sum. However, this is all by design.
Kroll recommends against paying ransoms. This recommendation comes from years of ransomware investigations and is due to the following:
- Paying ransoms encourages ransomware attackers to continue their line of work! The less profitable it is, the less they will persist.
- Paying ransoms lets attackers know that your organization is one that will pay to end trouble – this may open the floodgates to other types of attacks. Kroll recently completed an investigation with an organization that paid a ransom and two months later found itself held hostage by Distributed Denial of Service (DDoS) attacks, which are designed to disrupt an organization’s operations.
- There is never any guarantee that paying the ransom will result in the decryption of your data. In January 2017, Kroll published an article about NoSQL databases being held hostage. Our research discovered that the attackers never actually had the data; they were just looking to make a quick buck.
There is no “one-plan-fits-all” approach to responding to a ransomware attack. Businesses have to respond to these scenarios with realistic expectations and take into account their ability to respond, recover, and/or even to pay the ransom in the first place. Getting an expert opinion can definitely help a company make the right decisions.
Getting Back to Normal
Once your organization has contained the attack and file encryption has stopped, it is time to start the healing process. Make sure to take the following steps:
- If you have a method to decrypt files, then decrypt on the system while offline. Do not reconnect back to the internet. Once files have been decrypted, move them to a clean, external drive.
- Change all passwords within the business. Ask users to reset their passwords using strong password policies, and reset any server passwords.
- If you have clean backups from a time prior to the infection, then use backups to rebuild machines. If the system had a vulnerability, patch it before the system goes back into service.
- If you do not have backups, rebuild infected systems from the ground up. You do not need to buy new machines, just install a new version of the operating system. Reinstall programs that users need.
- Ensure all the staff are on high alert. If the ransomware was successful on at least one system, the attacker might know your IP address and try to come back.
- Close off the “entry vector” (the exposed pathway) that the attackers used to infect the network. This may mean closing an open port to remote access software or disabling the use of third-party extensions, such as Flash, on user machines.
Recovery: Improving for the Future
After restoring your business back to normal, it is time to start improving the organization to protect against future attacks. This is an important process in developing internal security and is practiced by organizations large and small. Consider the following:
- If your organization is not backing up data, it may be time to consider backup or data retention options. There are many affordable options to perform backups locally as well as online in the cloud. Whatever your choice, make sure that backups systems are separated from the network so an attacker cannot access them too.
- Segregate systems so that attackers and malware cannot easily move throughout the network. Even in small organizations, there is a reason for logical data separation.
- Disable the use of vulnerable applications that may lead to future compromises.
- Implement user education. Regardless of your organization’s size, make sure to have periodic information security discussions or trainings with your employees. Make sure employees are vigilant and protective of the company’s data.
As disruptive as the attacks may have been, security-minded organizations use these events as opportunities to enhance their user security. Schedule meetings with staff or departments to discuss how the attack happened and steps the organization can take or has taken to mitigate future attacks. If user processes have to change (for example, users no longer have Local Administrator privileges on their machines), this will give them an opportunity to ask questions.
Ransomware serves only one purpose: Disrupt normal business processes and demand payment for resumed continuity. This “business” model has led to its success, as many small- to medium-sized organizations simply want a way to get back to normal. However, with a little preparation, defense, and an action plan, companies of all sizes can prevent and survive ransomware attacks without spending a lot of money while reducing the chances of being victimized again.
About the Author
Matt Bromiley is a cyber security and computer forensics expert at Kroll. He has an extensive background in computer and network forensics, malware analysis and classification, and litigation support. Prior to joining Kroll, Bromiley worked for many years in the fields of forensic technology and information systems, where he assisted a range of organizations, from multinational, global conglomerates to small, regional companies. His work in forensic analysis, network monitoring, incident response, and global cyber threat intelligence gives him a deep understanding of how security threats impact businesses and the consumers they serve. Matt is a certified GIAC Network Forensic Analyst (GNFA) and GIAC Certified Forensic Analyst (GCFA). He is also a SANS instructor and currently serves on the SANS GIAC Advisory Board. At Kroll, Bromiley utilizes his technical expertise in the fields of computer and network forensics, malware analysis, mobile device forensics, network security monitoring, and data analytics and aggregation.