By Stu Sjouwerman, CEO of KnowBe4
By now, there will be people that are not familiar with the term “ransomware”, although not everyone understands what it means. They know that it is a nasty virus of some kind that causes a lot of problems, however, for most, their understanding stops there. This matters because it is difficult to protect against something that is not understood.
Ransomware, in its basic form, is a type of malicious software designed to encrypt valuable data, demanding a payment to decrypt it. Encryption is nothing new. We use it daily when we make purchases on the internet, log in to our bank accounts, or even access data at work. Most of the time we don’t even know it is happening, however it keeps our data safe from prying eyes and bad guys with bad intentions.
Encryption Works – Which Makes Ransomware a Challenge
Make no mistake, encryption is very effective. It is estimated that standard desktop computing power would take more than 6.4 quadrillion years to break a 2048-bit SSL certificate using brute-force methods. It is common for ransomware to use strong encryption such as RSA 2048-bit encryption, which the layperson wouldn’t know how to work around. Even pros have a hard time bypassing it, so you aren’t likely to get your data back using brute force methods. There have been cases where “decryptors” have been created for certain types of ransomware, however those are done by finding flaws in the process used to do the encryption, not the actual encryption itself. In other words, when these “decryptors” are deployed they are successful at breaking the encryption software, not the encryption itself.
For this reason, it is much wiser for organisations to focus on preventing ransomware attacks in the first place, rather than trying to recover from them. This means taking the threat seriously and deploying some protections against it quickly. Ransomware generated more than $1 Billion in losses last year, and does not discriminate between large business, small business, or personal data. The recent WannaCry attack, which crippled the NHS, Renault, and a number of other organisations, was a significant wakeup call as to how damaging ransomware can be.
Ransomware, in its basic form, is a type of malicious software designed to encrypt valuable data, demanding a payment to decrypt it.
Next Steps – Protecting Your Institution
So, how do you protect against things like WannaCry when you are a part of an educational institution with both staff and students on the network using all sorts of different devices? It is a challenge, but if you follow these steps, you can reduce the risk significantly and limit the damages in the event that your institution does experience a successful ransomware attack:
1. Check your firewall configuration and make sure no criminal network traffic is allowed out, and disable SMB1 on all machines. First, make sure you know what traffic is permitted into the network. Ask yourself if port 445 should really be allowed in from the internet? Also, many organisations leave outbound traffic unfiltered or unchecked.
While it can be difficult to determine criminal activity from regular traffic, blocking ports and protocols that are not typically used to cross the boundary of a network can help. In addition, if you aren’t applying IPS rules to outbound traffic, you should seriously consider doing this. The IPS can spot Indicators of Compromise (IoCs) and block the traffic. This can stop the encryption from happening even if the ransomware is launched. Also, if you are using older protocols like SMB1, it is time to disable them. Security best practices dictate that you should disable unused protocols and services to reduce the attack surface. This is no exception.
2. Wipe the machine and re-image from bare metal, for WannaCry or any ransomware infection. Ransomware is typically installed in a couple of steps. First, the user launches the malware (usually a “Trojan Dropper”), which goes out to the internet and downloads the actual ransomware package. If it can get the ransomware on your machine, it can also install other malware at the same time.
It is good hygiene to wipe any machine already infected by malware because you cannot be certain of what else has been installed. In the immortal words of Ripley in the 1986 movie “Aliens”, “Nuke it from orbit… It’s the only way to be sure.” Wiping the machine is your nuke option. Be careful what data you restore after the rebuild, as well. You don’t want the ransomware to return because you restored an infected file.
Ransomware generated more than $1 Billion in losses last year, and does not discriminate between large business, small business, or personal data.
3. Install Secure Email Gateway (SEG) that does URL filtering and make sure it’s tuned correctly. Since most ransomware is spread via email, this is an important step. While it relies on reputational information, typically meaning someone else has been infected by something from the suspect URL, if you aren’t in the first wave of attacks, SEC can be a powerful tool. You need to update this information very frequently, however, for it to be most effective. In some cases we see the bad guys using password encrypted .zip files to stop the software from examining the links in the attachment. However, if you train your users to be highly suspicious of any emails that include an attachment and a password in the email, it can still be very effective.
4. Patch endpoints, OS and 3rd-party applications very regularly. This has always been a struggle, as patches can cause unintended consequences including downtime. WannaCry did a good job of outlining how important this step still is, so learn from that experience and take patching seriously.
Most malware is not exploiting zero-day vulnerabilities, but instead older unpatched ones. If you have devices that you simply can’t update, make sure you have mitigating controls in place that will essentially isolate the devices from the network except for absolutely critical services.
5. Ensure endpoints and web-gateways have next-gen, frequently updated security layers. Updating signatures every 24 hours is not enough anymore; things just move too fast. Look at WannaCry and the “Google Docs” attack from a few weeks earlier to see just how fast these things spread. Your endpoints need to be updated every few hours (or less) to be effective in today’s world.
6. Identify users that handle sensitive information and enforce some form of higher-trust authentication like two-factor authentication. If you practice the principle of only allowing accounts with elevated privileges to access the most sensitive information, having a second factor to keep those accounts secure is a good idea. By doing this, even if malware is able to capture the credentials, the data is not accessible without the second factor. This can be used as a “canary in the goldmine”, as well. If a user gets a test with a login code from a privileged account and they did not try to log in with it, it should set off some alarms.
The recent WannaCry attack, which crippled the NHS, Renault, and a number of other organisations, was a significant wakeup call as to how damaging ransomware can be.
7. Review internal security policies and procedures specifically related to financial transactions to prevent CEO fraud. A very effective method is to have a policy where no sensitive data or large sums of money are transferred without speaking – actually talking – to someone first.
8. Deploy new-school security awareness training, which includes simulated social engineering tests via multiple channels, not just email. Bad guys have been known to spread malware via USB sticks, malicious advertisements on social media, and other similar methods. Your users are the last line of defence against these attacks, because once the user launches the malware or responds to the attack, any the above mentioned steps are reacting to the event. It’s much better to be proactive than reactive.
If you follow these eight steps, you will greatly reduce the risk of malware infections and ransomware such as WannaCry infecting your institution. Aside from stopping a massive threat, putting these processes in place allows you to be more proactive and better able to improve security in other areas, as opposed to putting out fires. Good luck and stay safe out there!