No Ransom, No Cry

The recent WannaCry (WannaCrypt) malware attack further shows how many organizations are still unprepared to prevent, respond and recover from such attacks.  This malware and a lot of other viruses typically take advantage of a well-known exploits, most of which have a fixes/updates to mitigate these issues. Case in point, MS17-010.  This security update had been out almost a full two months before WannaCry was released in the wild.  WannaCry used this exploit to further propagate itself to other nodes on a network, once a system was compromised.  Had this patch been deployed, most organizations could have avoided most, if not all, of this mess.  I say most, because several of these organizations, not only don’t have a patch compliance process in place, are still running on operating systems that have not been supported for years. Support for Windows XP ended on April 8, 2014 and Windows Server 2003 end on July 14, 2015.  These organizations knew for years that end of support for these operating systems was coming and yet here they are years afterword seeing the results of “saving” time and money.  We are now soon approaching end-of-life for Windows 7 and Windows Server 2008 (January of 2020), and many organizations are falling into the same trap.

But enough Crying over spilled milk. Let’s put forward some practical options to help you prevent and, in the worst case, recover from such an attack.  I broached the subject in an article I wrote back in November 2016, so I will try no to reiterate too much.

Here are some controls/processes to put in place, in no particular order of priority:

  • Ensure you are running on supported server and client operating systems
  • Have a patch/update management process for all OSes and all applications running on systems
  • Ensure you are running anti-malware/virus on ALL OSes, including mobile devices
  • Run regularly schedule server and end-point vulnerability assessments
  • Provide Least Privilege access to operating systems and share file/folder resources
    • Most users do not require administrator access to the local operating system, so don’t give it.
    • Give users only minimum required access to files and folders required for them to access and conduct work.  Don’t give them Write/Modify permissions if they only need Read access
  • Have an information management policy and controls to protect against data loss and leakage

The primary attack vector for most (not all) malware is via email.  Refer to this article for additional email protection discussion, along with these options:

  • Use Spam gateway or cloud service (features will vary based on vendor and add-ons) for email
    • Attachment and message blocking for readily identified malware
    • Attachment blocking for Zip, Exe, Scr, Vbs, etc… and other potentially unsafe attachments
    • Anti-Spoofing rules for internal email addresses

We’ve highlighted some preemptive measures thus far, but from a recovery perspective, nothing beats a good backup and recovery strategy.  In lieu of that, a document/file versioning can be used as a recovery option, depending on the Crypto overwrite/replacement strategy.  For example, a crypto malware attack may replace or overwrite a file multiple times, let’s say 3 times. With OneDrive for Business you can setup versioning to keep, let’s say 25 previous major versions of a file, in that case, it may be possible to recover the currently encrypted version of a file 4 versions back, just past the last encrypted write.  Not necessarily the optimum solution, but if you have no good backup or possibly need quicker access to important files while you are waiting to get access to your backups, this may me a viable option.

As axiom goes “an ounce of prevention is worth a pound of cure” could not hold more true than when it comes information security.  Data backups, incident responses and disaster recovery plans are great and important components of comprehensive security program, but they are like insurance, they only kick in after the damage is already done.  Preemptive controls can provide protection to prevent loss or unauthorized modification of data/information.

There is no silver bullet when it comes to information security, so you must always think of a defense-in-depth strategy when it comes to protecting your information assets.  I hope the information in this article will point you in a direction to start planning and implementing a comprehensive plan to keep you from even contemplating paying ransom for your own information.  We need to eliminate the profitability for these type of attacks.  If we don’t pay, there is no profit. We can only keep that from happening by implementing programs, policies, procedures, controls, monitoring and having the diligence to see it through.

No Ransom, No Cry.