[BreachExchange] You’ve been hit with ransomware. Now what?

Audrey McNeil audrey at riskbasedsecurity.com
Thu Apr 21 20:32:20 EDT 2016


http://www.cio.com/article/3059574/security/you-ve-been-hit-with-ransomware-now-what.html

Imagine waking up to an urgent 5 a.m. call: Something has taken over your
corporate network and encrypted all of your data, and supposedly the only
way to get it all back is to pay a significant sum to an anonymous third
party using Bitcoin. While that scene might sound like something out of
Hollywood, it is actually very real – and it’s exactly what several
variants of ransomware are doing to organizations around the globe.

Two recent appearances of ransomware in the news demonstrate that it is a
problem that is growing in both volume and significance, as larger and
larger organizations, some critical to public and social services, are
impacted by an outbreak:

The BBC reports that the Chino Valley Medical Center and Desert Valley
hospital, in the state of California, were infected with ransomware. A
spokesman for the owner of the medical center, Prime Healthcare Services,
confirmed that there were some “significant disruptions of [the medical
center’s] hospital systems.”
In a recent high-profile case, the Hollywood Presbyterian Medical Center
declared an internal emergency after suffering on outbreak of ransomware.
Ultimately, this hospital decided to ante up the required Bitcoin ransom
payment, handing over $17,000 in order to get access to its computers. The
original ransom demand was for $3.7 million in Bitcoins, so if nothing
else, that is some decent negotiating on the part of the hospital.
A Kentucky medical center, Methodist Hospital, was recently infected by a
ransomware attack. This time, the strain of the ransomware was confirmed:
Locky, a newer variant of Cryptolocker, infiltrated the defenses of the
medical center’s network and spread to the entire internal network as well
as several other systems, according to the CNBC report. At the time of this
writing, the ransom demand was for $1,600 for this particular hospital, and
it was unclear if the hospital intended on paying the ransom. Another
report in Ars Technica quotes the hospital’s attorney: “I think it’s our
position that we’re not going to pay it unless we absolutely have to.”

This stuff is insidious. Ransomware typically comes in as an email
attachment, purporting to be an invoice or a shipment tracking document or
something else seemingly innocuous. Once open, ransomware typically
silently begins encrypting all of the files it can, without any user
interaction or notification. It is only once its dastardly deed is done
that it prompts the user with information about how much the ransom is, how
to pay it and more.

It used to be that the first versions of Cryptolocker were not smart enough
to go after data on network drives and only inflicted unwanted encryption
on files stored locally to a machine. This could still be paralyzing in
some instances, but for medium to large businesses who stored the majority
of their data on network shared drives and SANs or NASes, this provided a
level of relief.

That is sadly not the case anymore, because as the virus has grown more
successful and more profitable to the writers, most of the ransomware
variants can now traverse network drives and UNC paths, encrypting anything
that they can actually touch and access with the level of permissions
granted to the user account under which the malware is executing. The
results, as you can tell from recent news reports about ransomware, can
wreak havoc.

Strategies for dealing with ransomware

There are two basic solutions to the ransomware problem, one simple and one
that will probably tear your team apart during the implementation.
(Technically, there are three, but I don’t count actually paying the ransom
as a solution because there are no blanket immunities offered in paying the
ransom and surely the price will continue to increase as attacks and
infestations become more successful.)

Regular and consistent backups along with tested and verified restores. The
only way not to feel held hostage because of a ransomware attack is to have
the next best viable alternative – to not pay it, because you have full and
recent backups of all of your data that have also been tested through
consistent, regular restore procedures to make sure that the backups
actually worked.

Then, along with vigilant monitoring (many technologists report success
with using file monitoring screening to detect large numbers of files being
changed in sequence, especially if those files have not been touched
otherwise in a while) and ensuring you have appropriate file and folder
permissions set, you can simply detect an outbreak quickly and then restore
any encrypted data from your backups. This way, you do not have to pay the
ransom and the only data at risk of potential irreversible encryption is
the data from initial infection to

Application whitelisting. Essentially the only way to definitively protect
against a ransomware attack and invasion – or any other malware infestation
for that matter – from even taking hold is to implement application
whitelisting. Whitelisting involves computing checksums and other “digital
fingerprints” for applications that you deem permitted to run on your
systems, and then basically cutting everything else out and disallowing the
code from executing at all.

Sounds great, right? No exploits can run if they are not already
whitelisted, so not only does this approach protect you from current
threats, but it also acts as a prophylactic for future malware as well –
even though you would still do well to have edge and endpoint security,
having a known good list of applications and then black-holing everything
else would be a significant step up in security.

Aye, but therein lies the rub: If you took the superset of all of the
regularly used applications you have by all of your users as well as their
varying versions and patch levels, you might very well have thousands of
programs – and to use the built-in software whitelisting functions within
Windows, you would need to create a signature for all of them. Every single
one of them. There are various automated solutions available, but they all
have a cost as well for the licensing as well as the administration time.

Finally, with whitelisting, there’s the user acceptance factor: your users
won’t be able to download anything, including browser plugins, which you
have not already allowed in advance. This includes even the most minor
programs like PuTTY for secure shell tunneling over the internet using SSH,
popular with your IT staff, or something like Notepad+, a great text editor
many knowledge workers like to download to enhance quick notetaking. (Both
of those programs are single executable files with no installation required
and are portable between systems, meaning that they often find their way
onto thumb drives or USB storage devices and are shared freely among
coworkers.)

Are you and your IT team up for the massive effort not only to establish
the initial set of whitelisted definitions but also to continually maintain
them, even as new patches change digital signatures, new employees request
new programs, and additional services come online? It would truly be a
massive undertaking, but I call it the nuclear option simply because it is
the most straightforward (not easiest; but most plainly simple) way of all
but eliminating the threat of ransomware on your systems.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160421/4396d09a/attachment.html>


More information about the BreachExchange mailing list