[BreachExchange] Protecting against ransomware using PCI DSS and other hardening standards

Audrey McNeil audrey at riskbasedsecurity.com
Fri May 18 20:16:31 EDT 2018


Ransomware continues to bring organisations down to their proverbial knees.
SamSam ransomware crippled systems for the US city of Atlanta. Not too long
before that, SamSam locked up systems at AllScripts. Meanwhile, WannaCry
continues to pose a threat, hitting Boeing one year after making a huge
impact on the UK's National Health Service and others last spring.

To pay or not to pay? But is that really the question? First of all,
keeping back-ups is always a good idea, so even if you do get ransomware on
your system you can recover quickly without paying and encouraging this
sort of activity. But also, the question most organisations should be
asking – especially those who have yet to get to the "pay or not pay"
question – is "are our systems hardened properly and have we done enough to
lessen the chances of ransomware getting on our systems in the first place?”

Let's take a look how the latest biggest and baddest ransomware attacks
happened to explore this further.


Attackers hit the City of Atlanta in the US with ransomware that caused
disruption to at least five out of 13 departments. There were outages on
customer facing applications, including some that customers may use to pay
bills or access court-related information. Police reportedly had to resort
to handwritten reports.

This isn't the first time SamSam has struck; it's been around since at
least 2015. A strain hit the US Colorado Department of Transportation in
February, and locked up systems at Allscripts the month before that.

While lots of run-of the-mill ransomware spreads through social engineering
such as phishing, SamSam takes a different approach. Instead of relying on
trickery, this sophisticated ransomware exploits known vulnerabilities or
attempts to guess weak passwords to get onto systems.

WannaCry and NotPetya

WannaCry made quite the impact when it made its first outbreak last May. It
infected hundreds of thousands of vulnerable computers around the world,
including 34 percent of UK National Health Service (NHS) trusts.

This ransomware's attack vector of choice is also known vulnerabilities.

Less than two months later, NotPetya abused that same Microsoft
vulnerability to strike banks, airports and power companies in Ukraine,
Russia and parts of Europe. (Kaspersky Lab says NotPetya is wiper malware,
not ransomware, because its encryption algorithm prevents the decryption of
infected disks even if victims pay the ransom).

One year later we're still seeing WannaCry and NotPetya post a threat to
organisations, as made evident by the recent attack on Boeing.

Sophisticated, not invincible

While these strains of ransomware are more sophisticated than the
run-of-the-mill ransomware attacks, the fact that they are technical in
nature means there are specific measures we can take to decrease the chance
of a significant attack.

These attacks use technology, they don't rely on people being fooled into
"inviting" ransomware on their system. By way of comparison, let's review
the AIDS Trojan – believed to be the first piece of ransomware to be

AIDS Trojan didn't abuse a vulnerability for distribution.

Bad actors circulated the threat on infected floppy disks they sent to
unsuspecting web users' homes. When someone loaded the disk onto their
computers, the malware allowed 90 boot cycles to pass before hiding the
directories, encrypting the names of files on the C drive, and demanding
the user send a cheque for US$189 (£140) to a PO Box in Panama for the PC
Cyborg Corporation.

The attack relied on people being fooled into inserting the disk on their
system. And while we don't see a lot of floppy disks going around these
days; lots of ransomware attacks follow the same sort of social engineering
approach – only now it's usually in the form of people clicking on
malicious links.

But the fact that the latest big ransomware attacks didn't focus on fooling
humans mean we can improve defences by hardening our systems.

What you should have been doing already

Most organisations that process card payments, should comply with the PCI
DSS standard. Ensuring compliance with PCI DSS is a good place to start in
defending against threats like ransomware. Doing so can help organisations
identify and strengthen weakened controls and reduce their attack surface.
It can also assist companies in implementing security controls such as file
integrity monitoring, vulnerability management and deploy a central log
aggregator, such as a SIEM.

But it's not just PCI DSS that offers these hardening capabilities. There
are a number of standards and regulatory requirements that have overlapping
controls, such as CIS (Center for Internet Security) and ISO27001, HIPAA
(Health Insurance Portability and Accountability Act) is widely used which
offer similar recommendations to help reduce the attack surface.

Enterprises sometimes struggle to achieve compliance, however. Time and
effort are required to initially reach compliance. Organisations must then
attempt to remain compliant and determine if compliance is consistent, all
while dealing with tedious audits. They must also make sure they're going
beyond compliance to emphasise the security of their systems against
threats like crypto-ransomware. Using a technology such as file integrity
monitoring (FIM) could help detect the outbreak of a ransomware attack by
identifying a number of files changed; it could also help understand what
files were impacted, helping recovery from backups an easier process. Some
FIM products provide the capability to detect the presence of early
indicators of compromise, such as a specific patch deployed, or a security
control in place.

Done well, compliance with regulations such as PCI DSS and other
recommended hardening standards, can protect against ransomware, so it's
well worth the investment.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180518/b146279e/attachment.html>

More information about the BreachExchange mailing list