You’ve been hit with ransomware. Now what
Two recent appearances of ransomware in the news demonstrate that it is a problem that is growing in both volume and significance, as larger and larger organizations, some critical to public and social services, are impacted by an outbreak:
[Related: 4 reasons not to pay up in a ransomware attack]
This stuff is insidious. Ransomware typically comes in as an email attachment, purporting to be an invoice or a shipment tracking document or something else seemingly innocuous. Once open, ransomware typically silently begins encrypting all of the files it can, without any user interaction or notification. It is only once its dastardly deed is done that it prompts the user with information about how much the ransom is, how to pay it and more.
It used to be that the first versions of Cryptolocker were not smart enough to go after data on network drives and only inflicted unwanted encryption on files stored locally to a machine. This could still be paralyzing in some instances, but for medium to large businesses who stored the majority of their data on network shared drives and SANs or NASes, this provided a level of relief.
That is sadly not the case anymore, because as the virus has grown more successful and more profitable to the writers, most of the ransomware variants can now traverse network drives and UNC paths, encrypting anything that they can actually touch and access with the level of permissions granted to the user account under which the malware is executing. The results, as you can tell from recent news reports about ransomware, can wreak havoc.
There are two basic solutions to the ransomware problem, one simple and one that will probably tear your team apart during the implementation. (Technically, there are three, but I don’t count actually paying the ransom as a solution because there are no blanket immunities offered in paying the ransom and surely the price will continue to increase as attacks and infestations become more successful.)
Regular and consistent backups along with tested and verified restores. The only way not to feel held hostage because of a ransomware attack is to have the next best viable alternative – to not pay it, because you have full and recent backups of all of your data that have also been tested through consistent, regular restore procedures to make sure that the backups actually worked.
Then, along with vigilant monitoring (many technologists report success with using file monitoring screening to detect large numbers of files being changed in sequence, especially if those files have not been touched otherwise in a while) and ensuring you have appropriate file and folder permissions set, you can simply detect an outbreak quickly and then restore any encrypted data from your backups. This way, you do not have to pay the ransom and the only data at risk of potential irreversible encryption is the data from initial infection to
Application whitelisting. Essentially the only way to definitively protect against a ransomware attack and invasion – or any other malware infestation for that matter – from even taking hold is to implement application whitelisting. Whitelisting involves computing checksums and other “digital fingerprints” for applications that you deem permitted to run on your systems, and then basically cutting everything else out and disallowing the code from executing at all.
Sounds great, right No exploits can run if they are not already whitelisted, so not only does this approach protect you from current threats, but it also acts as a prophylactic for future malware as well – even though you would still do well to have edge and endpoint security, having a known good list of applications and then black-holing everything else would be a significant step up in security.
[Related: With few options, companies increasingly yield to ransomware demands]
Aye, but therein lies the rub: If you took the superset of all of the regularly used applications you have by all of your users as well as their varying versions and patch levels, you might very well have thousands of programs – and to use the built-in software whitelisting functions within Windows, you would need to create a signature for all of them. Every single one of them. There are various automated solutions available, but they all have a cost as well for the licensing as well as the administration time.
Finally, with whitelisting, there’s the user acceptance factor: your users won’t be able to download anything, including browser plugins, which you have not already allowed in advance. This includes even the most minor programs like PuTTY for secure shell tunneling over the internet using SSH, popular with your IT staff, or something like Notepad+, a great text editor many knowledge workers like to download to enhance quick notetaking. (Both of those programs are single executable files with no installation required and are portable between systems, meaning that they often find their way onto thumb drives or USB storage devices and are shared freely among coworkers.)
Are you and your IT team up for the massive effort not only to establish the initial set of whitelisted definitions but also to continually maintain them, even as new patches change digital signatures, new employees request new programs, and additional services come online It would truly be a massive undertaking, but I call it the nuclear option simply because it is the most straightforward (not easiest; but most plainly simple) way of all but eliminating the threat of ransomware on your systems.