Luke Potter, SureCloud’s Cybersecurity Practice Director, looks at what organisations can do to minimise the risk of a falling victim to a ransomware attack – and offers advice on how to respond if you do
The WannaCry ransomware attack took the world by storm last month, successfully claiming 200,000 victims across 150 countries – and with some high-profile casualties, including the NHS. It spread quickly and was highly disruptive – grabbing news headlines across the globe and putting IT security in the spotlight.
Of course, WannaCry was not the first – nor is it likely to be the last, as we have seen with the Petya attack, – a form of ransomware that can be distributed by cyber-criminals. However, this should serve as a warning to organisations that they need to start taking urgent steps to protect themselves against this serious malware.
So, in the aftermath of an attack, what steps should organisations be taking to reduce their risk of falling victim to ransomware?
Organisational threats and prevention
As many organisations are aware, one of the most common methods of ransomware gaining a foothold on an internal network is through phishing attacks. This is where a malicious actor sends an email that appears to be legitimate, to unsuspecting users containing malicious files, or contains a link to sites where users are prompted to download files that don’t initially appear dangerous. Web and email filters provide an initial defence against malicious website content and incoming email threats respectively and it is recommended that binary files are quarantined, or outright blocked, when sent as an attachment, including executables and scripts.
The less common, but still ever-present risk is that services or applications on an organisation’s perimeter network may be vulnerable to cyber-attacks. When conducting penetration tests SureCloud regularly find web applications with file upload functionality that would allow an attacker to upload malicious files, or to cause remote-code execution on the host servers. Critically, services that provide direct access to a host system should not be exposed to the public internet, whether it is a service that is used for network-file sharing such as SMB/Samba, or remote desktop services such as Microsoft’s RDP or Xserver.
With the recent disclosure of the vulnerabilities and exploit tools that are now distributed throughout the public internet by the Shadow Brokers group, many organisations that operate systems affected by these vulnerabilities are prime targets for ‘low-hanging-fruit’ attacks. Several of these exploitable vulnerabilities can provide attackers with direct access to these systems with high-level privileges. And depending upon the security posture of the organisation it may be possible to access internal networks along with corporate or consumer data.
The key point of this is that organisations with a larger attack surface (e.g. a large internet presence and hundreds/thousands of staff) or a minimal security posture may not be able to defend against ransomware attacks. As such regular backups, including long-term data backups, should be part of the operational security process within an organisation’s IT strategy. Backups, of course, would also require a defined disaster recovery process, which should be tested at least every 6-12 months for assurance purposes.
In addition to running regular back-ups, businesses should also ensure that their systems are regularly patched – and where this is not possible because support has ended consider alternative solutions to address vulnerabilities. Many organisation still rely on Windows XP and Windows Server 2003 to run critical business applications, despite the discontinued support from Microsoft for security updates. Organisations that cannot patch should look to mitigate any risks associated with these systems by restricting services, hardening the remaining services through configuration changes, and by using industry-recognised anti-virus and anti-exploit solutions where possible.
Mitigation following an infection
Even if an organisation takes these preventative measures it is still possible that they could end up as a victim of ransomware. In this scenario, it is strongly recommended that organisations never pay the ransoms demanded post infection. Not only would this cost a considerable amount of money (depending on the number and the roles of the affected systems), but it also rewards attackers unnecessarily when a well-designed disaster recovery process could recover most of any data that is lost.
If an organisation’s backups do not include up-to-the-minute copies of their data, then a consideration for risk acceptance would be to lose (at most) a day’s worth of data. This assumes that daily backups are performed, with longer-term backups being stored off-site and air-gapped from the corporate network.
A short-term mitigation to limit the exposure of the malware, should it be a worm-based or manually-led attack, would be to isolate affected systems immediately. The effects that a temporary loss of service may cause would be minimal for staff members or to the public for any Internet-facing services when compared to the loss of actual data.
With ransomware now a permanent and established weapon in the cyber attacker’s arsenal it is critical that organisations put in place not only preventative measures but also remediation plans for when the worst happens. Failure to do so is likely to have a damaging effect on the organisations brand and other serious consequences.