It’s 6:05 AM on a Friday. Diane, the CEO of NotReallyTechCorp, a medium-sized local business, is attempting to login to her computer to begin the business of the day. Sign-on goes fine, but as soon as she tries to open local applications, she receives errors. Finally, she notices a new file on the desktop. She opens it and finds something that looks a lot like this:
Diane immediately calls her CISO, then her CIO, and then her VP of Information Technology. Finding they were all still asleep, Diane calls Dennis, the Systems Engineer in charge of the databases that make up the heart of NotReallyTechCorp’s business.
“I was wondering when you’d call,” Dennis mumbles. “I started getting alerts from some systems about an hour ago. I-”
“Just cut to it, Dennis,” interrupts Diane. “What’s happening?! Why can’t I log into anything? I have this weird message in a text file on my desktop and I can’t make heads or tails of it. What is a Tor, and what does it have to do with onions?”
“We have been hit by a ransomware attack. I don’t know how bad yet, but…it’s bad. At least five systems that are definitely infected, and I haven’t gone through them all yet. I shut off the backup server and all the database servers as a precaution, so…”
Diane is incredulous. “You shut off the database!? How can we do business?”
“I didn’t feel like we had a choice. I took down the external network connection, too. Hell, the only way you were able to login is because you’re in the office. And with your permission, even that’s not gonna last much longer. I had to shut down the database in case it wasn’t infected yet. That’s the only way to be sure. Same for the backups too. The thing is,” Dennis said, slowly, “The way we’re set up, that Database IS the business. And those backups? They’re the only ones we got. And if we can’t get clear of this with those systems intact, we’re going to lose a lot more than a day’s earnings. NotReallyTechCorp might never get back online at all.”
It was going to be a long, long day.
“Ok,” Diane finally says. “Tell me everything I need to know about Ransomware.”
In short, ransomware is a specialized form of malware designed to lock down as much of your IT infrastructure as possible until a ransom is paid. It is straight-up extortion—no more, no less. The screenshot above is an example ransom note that is left on the system, giving instructions on how to pay the ransom. Once the ransom is paid, the attacker will hopefully unlock your infrastructure and remove all traces of ever being in your systems.
The most common attack vector for ransomware (and indeed, many kinds of malware) are through spearphishing emails. These are specifically targeted emails that trick a user into running an executable (or a document containing a malicious macro) on their system. The executable then locks the user out of that system, attempts to gain as many credentials as possible, and then tries to traverse the network to lock as many computers and fileshares as possible. Critical targets are most valuable, and things like Administrator-level passwords can literally allow an attacker to disable an entire business.
The worst-case scenario will see data exfiltrated to an attacker’s networks and backups destroyed (or otherwise compromised), which limits the ability of a business to do anything at all in terms of recovery.
Several players in the anti-malware and anti-ransomware markets publish annual reports on the state of things. These include MalwareBytes, Comparitech, and even the Federal Bureau of Investigation—just to name a few. Their reports are all comprehensive and illuminating, and thoroughly worth your time. For now, though, let’s look at some numbers.
Reports of attacks against business endpoints globally have increased an impressive 13 percent year-over-year. This is unsurprising as tools for scanning for malicious and untrusted URLs are improving, and frankly, businesses have deeper pockets. Today’s businesses also rely far more heavily on their IT resources and thus (the thinking goes) they are more willing to pay.
There is a misconception among many business owners that they are ‘too small’ to be a target. While the big attacks that shut down cities, hospitals and massive manufacturers are making the most news, the reality is that small and medium businesses represent by far the majority (over 70%) of reported ransomware victims. The trend in that space is to spend less on information security. Plus, there are simply more of them to target.
In 2018, the median ransom demand was approximately $6,700 USD. Just by the end of Q1 that number nearly doubled to $12,700 USD. New boutique attackers such as Ryuk, who only go after what they deem high-end targets, are asking between $97,000 and $320,000 USD for businesses of similar size.
New heavy hitters like Ryuk (up 543%) and Sodinokibi (up 820%) are really making a name for themselves. Sodiniokibi is actually a “Ransomware-as-a-service” model that allows less sophisticated attackers into the space. The Sodiniokibi service takes a cut of any stolen funds, leaving the people behind the attack with the lion’s share. It’s script-kiddies, 2020 style.
Ransomware software and attack pattern sophistication is ‘far more advanced’ than in 2018. Long gone are the salad days of malware being delivered by a spam email with a fake URL. New flavors of ransomware are being delivered more covertly, such as via fake browser plugins and advanced adware and phishing campaigns. Sadly, old vulnerabilities are still the overwhelming method of choice, with Remote Desktop Protocol (RDP) leading the pack of attack vectors.
This is a tough question. The FBI discourages making payments to criminal actors. Payment is almost always required to be anonymous and virtually untraceable. Because of this, and because of the duplicitous nature of the transaction,
However, in situations where there appears to be a substantial or total loss, the risk/reward ratio might need to be considered. The Baltimore City Government famously lost about $18 million in damages over a ransom of $75,000. The city government believed the funds would have to be spent to recover and remediate anyway, so why encourage this kind of crime? That same year, Danish company Demant had an even bigger breach, and recovering from a ransomware attack cost them upwards of $85 million.
To be fair, many infected companies do choose to pay, often without the public ever learning about it. The few statistics available show a reasonable chance data will be recovered, with an average of 96% of payees reporting receiving a decryption tool, and that tool working fully 93% of the time. This is a massive increase in both numbers over the past few years, as the criminals behind ransomware attacks get more organized and, in certain ways, become more professional. This also explains why the average ransom demand is getting bigger, along with the frequency of attacks.
It’s important to note the efficacy of the recovery tool varies wildly from attacker to attacker, as well as from ransomware strain to ransomware strain. No attacker will guarantee they won’t use the same vector (or a sleeping tool) to attack again. This is one reason why companies like Demant refuse to pay; they simply believe that they will have to spend the money to recover anyway. As one customer memorably put it, “There’s no entry on my [expletive deleted] bank account that says ‘Peace of mind.’ But that doesn’t mean I don’t need it.”
A lot goes into the decision of whether or not to pay and, unfortunately, only the business impacted is knowledgeable enough to decide.
There’s only one way to be sure the ransomware is out of your environment, and that’s by surveying every IT asset. This will necessarily take time and, depending on the size of the organization, could require outside assistance from a technology consultancy like Anexinet. But rest assured, it is necessary to be 100% certain.
If you can maintain a disconnected BC environment, now would be the time to consider flipping over to it. This is not an option for all businesses, but it is the reason such environments exist.
Contain the spread of the infection as quickly as possible. This will likely mean taking down your external and internal network temporarily.
Different ransomware attacks in different ways. Most are well-known. Understanding what you’re up against can help you determine the best response.
Once the attacker is identified, the next step is to determine how many computers were infected. This can be a slow process, but it’s a necessary one. Custom network rules can be built to bring systems up one at a time for deep scanning without the risk of further spread.
This one hurts, but it’s the only way to be sure. The data is what’s essential. The OS means next to nothing and applications can be reinstalled. If you can, build an entire parallel IT so the business can come back online in the “Good” environment, while post-mortem and data-mining can take place in the “Bad.” And never the twain shall meet.
Everis left “hundreds of RDP servers” open to the internet. As a result, they were shut down by ransomware. A patch for the bug (the famous BlueKeep) appears to have been applied. Similarly, Sodinokibi uses an attack method that targets known closed bugs, such as CVE-2019-2725 in Oracle WebLogic. A patch was promptly released, but the ‘success’ of Sodinokibi is ample evidence the patch was not always applied quickly enough.
The lesson? When a patch is released, test it and apply it. Quickly.
As stated above, targeted spearphishing campaigns are an increasingly common attack vector.
Invest in strong endpoint-protection software. The tools to defend systems are getting better every day, almost as quickly as attacks are evolving. There are very few 0-day ransomwares. The ransomware-software families discussed in this article are well known; some are over four years old.
Remember, security is most effective when applied in many layers. Aggressive, active endpoint-protection software can be the last bastion between an attacker and a successful attack.
Backups are the bedrock of any DR/BC plan. As such:
It’s imperative to ensure your DR team is comfortable with the restore process. The more comfortable the team is with the process, the faster they’ll be able to implement it in the event of an emergency.
A business continuity plan helps every member of your organization know what to do when a disaster is declared. The plan should be tested in tabletop exercises so that when the worst-case scenario happens the staff assigned to resolve it will be as prepared as possible.
Read this blog post to dive deeper into backup and recovery from ransomware attacks.
Diane checks her watch. It’s 8:05 AM, Monday morning. Friday’s long day had stretched into a long, sleep-deprived weekend. In a crowded conference room, Diane takes a deep breath and says, “OK, Dennis, give me the good news and the bad news. And PLEASE tell me there’s no bad news.”
“We caught a break, here,” Dennis replies, “I’m glad this happened so close to the weekend. Aside from some customer aggravation, I don’t think that there’s any permanent damage. I’m looking at the dashboard and it looks like orders are flowing normally. All the sales we had to record on paper on Friday are showing up as transactions in the system.” He pauses. “I think we are back in business.”
Cheers erupt from the conference-room phone.
“We don’t know how exactly they got in.” Dennis adds, “Best guess is through a user with admin privileges. All the logs were scrubbed, so there’s no way to tell for sure. We do know that a shared Administrator password allowed the ransomware to propagate. Their mistake was locking open data files on the first database server, which caused the application to crash. This was what notified me in the first place, and we were able to start shutting down systems. We went one computer at a time and manually scanned them. Short answer: we found seven that were definitely locked and ten more that had the ransomware loaded-up but not activated. We immediately unplugged them from the network, which is how they’ll stay. We were able to recover from backup to get five back up and running, and it looks like the data we recovered from the read-only database copy was reasonably up to date. It only comes online every four hours, so it’s likely the attackers never knew it was there. Sales reports the system is slow, but it’s working.”
Diane paused a moment, forcing herself to focus. “So, what happens now? What do we do next?”
“I submitted a draft report that outlines everything in more detail, but in short, it could have been a lot worse. Backups of both systems and the database were not affected. Without that, we would have had to start from scratch. I’m recommending a much more robust IAM solution to ensure we’re never in a position of having shared passwords again, along with an offline logging system to ensure we can always go back and see what happened. Finally, I recommend better endpoint protection be implemented on servers and desktops.”
“One more thing,” Diane says. “I want us to put together a Business Continuity Plan so we’re not the only people who know all this stuff when something bad happens again. What would’ve happened if Dennis was on vacation?”
When it comes to ransomware, your best defense is a good offense. Educate your employees. Explain to them that they are a target and should regard themselves as such and take common-sense precautions so as not to fall victim to an attack. Partnering with an organization such as Anexinet that has vast experience protecting organizations against ransomware is essential. If you’d like help ensuring your organization’s readiness against ransomware attacks, please check out our Disaster Recovery Kickstart, which helps you eliminate vulnerabilities by adopting the latest industry-standard practices and procedures, or sign up for our Identity Access Management (IAM) Modernization Assessment for strategic direction to strengthen, mature and modernize your Identity Management Program.
Lastly, please don’t hesitate to reach out to us with any questions or concerns. We’d love to help you get protected.