Security Experts:

Taken by Ransomware? Certain Skills Required.

About Ransomware Campaigns

Skull and crossbones adorning a pair of Alexander McQueen boots, um yes, please. Skull and crossbones flashing across my PC, uh no, thanks. While the former speaks of swashbuckling ready-to-wear, the latter reeks of I’m a victim of ransomware

When ransomware strikes, there aren’t many options for response and recovery. Essentially, you can choose to:

● Pay the ransom (and hope for the best). If you don’t have the very particular set of skills of Bryan Mills, you may decide to pay the ransom. It’s a choice, however, that comes with a few caveats. First, you need to have adequate cryptocurrency or the ability to convert traditional currency—either way, it’s neither cheap nor easy. You must also accept that there are no guarantees. Negotiating with cybercriminals could send you down a slippery slope. If you pay, hackers may or may not give you the decryption key to unlock your data. They may only provide partial access and demand more money. They may—in fact, it’s highly likely—strike again since they know you’re susceptible. And finally, they could use your payment to aid or fund illicit operations, including terrorism, that are in violation of domestic and/or international law.

● Not pay the ransom (and hope for the best). If Bryan Mills is more your style and you decide not to pay the ransom, it’s important to save the infected drive for future analysis. At some point, a security researcher could very well crack the encryption code on that version of ransomware and enable you to regain access to lost files.

● Restore data from backups. Option three assumes that your organization has comprehensive backups stored completely offline and separate from the compromised network.

● Nuke and pave. Sounds dramatic, I know. But if you don’t have backups and either can’t or refuse to pay a ransom, you’ll likely be forced to rebuild the impacted infrastructure from the ground up. Good times! 

Okay, not good times and not great choices, but as a whole, they do a great job of highlighting the importance of taking proactive steps to prevent infections. The tentacles of ransomware can reach far and wide. It’s not just a potential hit to your purse strings. When you lose access to data, you lose time, you lose productivity

No More Would’ve, Could’ve, Should’ves

Instead of having to choose from lousy reactive options, wouldn’t it be better get proactive and implement some practices that could help prevent ransomware infections in the first place?

Patch, Patch, Patch! 

If you’re like most, if not all, organizations, you have software installed on your systems. Software comes with vulnerabilities, and attackers love to exploit vulnerabilities. No doubt you’ve heard it before, but instituting and adhering to a solid patch-management policy cannot be stressed enough. 

Patching is a simple and effective way to help defend against ransomware. It should be a regular, habitual routine, whereby organizations update often and update everything—from laptops and desktops to servers, mobiles devices, operating systems (Windows, macOS, Linux/Unix), endpoint security (antivirus/antimalware software), web browsers, anything that connects to the network.

Educate, Educate, Educate!

Sad, but true, end users are most often to blame for ransomware attacks. Either they fall prey to a malicious phish or drive-by download on an infected site. Why? Maybe they didn’t know better. Maybe they forgot. Maybe they got lazy. 

While it’s encouraging to see that more and more organizations are now requiring employees to attend security-awareness training programs, it doesn’t necessarily mean that everyone retains what they’ve learned. Therefore, education should be ongoing and encourage hypervigilance to the point where it becomes second nature for users to always be looking for signs of malicious intent and triple-checking sources before clicking on links or opening email attachments.

Block, Block, Block! 

Let’s talk vulnerable systems. 

A colleague of mine once worked for a company that was hit by a rash of ransomware. As a member of the incident response (IR) team, he and his team wanted to get to the bottom of the issue. For about a month, they looked into end-user browsing habits, personal email usage, attachment opens, anything that might reveal patterns of behavior and help to pinpoint initial infection vectors. What they found was that nearly 95 percent of all identified infections came from exploit kits attacking system vulnerabilities.

The more they researched, the more they kept returning to two invaluable blogs: Malware Traffic Analysis (MTA) and Broad Analysis (BA). Maintained by security researchers, these blogs, which offer threat intelligence on network traffic associated with malware infections, triggered a “Eureka!” moment. The team IR thought, “What if we were to scrape MTA and BA every morning for new ransomware domains and IPs and, accordingly, put in blocks at the firewall and web proxies?”

Their intent was to stop an infection in progress, before a second-stage downloader could be executed.  Sure, a user might still open a malicious attachment or fall victim to a drive-by download and subsequent infection, but if the command-and-control (C2) domains and IPs were blocked, the team would have a fighting chance to stop a full-blown infection. 

The team tested their hypothesis and the results proved amazing. Day one after putting up blocks? No ransomware infections. Day two? Three? Nothing.

It had taken creativity and a certain set of skills, but the battle against ransomware had been taken to another level—and overcome.

Related: Insurance Firm Directs Response in Madison County Ransomware Attack  

view counter
Erin O’Malley is an incident response delivery support manager at Accenture Security, FusionX, Cyber Investigation and Forensics Response (CIFR), where she teams with incident responders and threat hunters to document and catalog incident report findings and highlight the value of taking an adversary-based approach to minimize the risk, exposure, and damage of cybersecurity incidents. Prior to joining Accenture, Erin was a security solutions marketing manager at Gigamon. Other past roles have included product marketing for virtualization and cloud security solutions at Juniper Networks and customer marketing at VMware. She has written and edited for GE Digital, WSGR, Business Objects, and the TDA Group, and holds a B.A. in French from Penn State University and an M.A. in French from Middlebury College. The opinions and statements in this column are solely those of the individual author, and do not constitute professional or legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. No representations or warranties are provided, and the reader is responsible for determining whether or not to follow any of the suggestions or recommendations, entirely at their own discretion.