Joe Priestley, IT Director for Corn Belt Energy, shares his thoughts on minimizing the risks of ransomware.
It started with a simple email telling an employee that she had a voicemail waiting. Just a basic voicemail; that’s all. The fact that she had never before received an email like this one gave her pause for a moment. But after a colleague shrugged off the question and advised her to open the attachment, a simple flex of a finger on the mouse was all it took to set into motion a ransomware attack and a full-blown emergency.
The virus that was now attacking our network was Cryptolocker; an insidious pieces of ransomware that is currently plaguing companies of all sizes and types.
CryptoLocker is a Trojan that has been targeting Windows machines for the past three years, but has become far more pervasive over time. Typically transmitted through infected email attachments and botnets, the malware encrypts local hard drives and mapped network drives using public-key cryptography and then launches a pop-up window through which the victim can pay the criminals, often through Bitcoin or through a cash payment to an off-shore account. The criminals then hopefully send the victim the key to unlocking the data. Whether or not that key will be sent is pretty much anybody’s guess. Remember, you’re dealing with the criminal element here. However, most of the bad guys are aware that a reputation for not decrypting the data after the payment of the ransom would pretty much kill their illicit business model.
Speed is of the essence in a situation like this. Although the virus moves quickly, IT people who can recognize the threat and are ready to take action can often reduce the amount of data that becomes locked down. Once the infection is contained, the focus shifts to the process of restoring data from backup, assuming, of course, that the backup protocol at the company is sufficiently diligent for restoration. If so, you won’t have to deal with the bad guys. If not, you’d better get ready to pay up.
First, I confirmed that the PC was not sending data offsite via the Internet. Seeing that this was not the case was an immediate source of relief. I then checked all of the various drives to which the PC had access, assessed the extent of the damage, and replaced the infected PC with a freshly imaged device. The software had worked well, encrypting most data on the local PC then moving on to each mapped drive. Realizing that there would be no simple way to determine the depth of impact for a surgical clean-up, I moved quickly to erasing and restoring the file server that provided those shared drives. The incident occurred shortly past noon. Mounting my hourly backups from noon, I saw no encrypted files and knew that this backup point was safe. The restoration took less than 40 minutes. Only three files were changed after noon, before the encryption, and were easily updated.
This invasion by Cryptolocker could have been devastating. But effective preparation and planning reduced the impact to more of an inconvenience. I’ve heard of many organizations that experience extreme disruptions or are simply forced to pay the ransom.
Information security has always focused on tiered measures and a layered approach to protection. With that in mind, there are certain things you can do to help protect yourself.
- Limit access and permissions to move network resources to individuals who truly need those rights.
- Store all important files in a central location and execute frequent back-ups of that location. I back up some systems daily and others more than once an hour.
- Ensure your backup system can’t be compromised through the same channels that can be used to attack the networked resources. If an administrator’s credentials are used for the attack, could those same credentials also be used to destroy the backups?
- Trust nobody and train your employees to trust nobody. Gone are days when a virus was unleashed on the world while its author remained in hiding. Now, we receive phone calls and have live conversations with those hoping to defraud us. Criminals register domains designed to look similar to ours and send email appearing to come from our executives, conversing with us.
- Train staff to look for illicit attempts and conduct regular training and testing on what to look for.
- Build an environment that can withstand human and technical failures. Technologies such as VDI can create a walled garden of security that allows enterprise applications to thrive in a pristine environment. Multifactor authentication can better protect access to that environment.
Nothing can provide flawless security, but performing the necessary steps to preserve a safe environment has become an integral part of doing business in the 21st century.
