Surviving ransomware by keeping things simple

DERBYCON – Ransomware is a topic everyone knows about, but unless you’ve experienced a ransomware attack, it’s hard to really describe and understand the stress associated with these events.

This year has seen ransomware take the top spot when it comes to attention in the security world. A soon to be released study from Holger Schulze, founder of the 370,000-member Information Security Community on LinkedIn, shows that Ransomware has become a serious focal point.

According to Schulze’s data, 75-percent of organizations affected by ransomware experienced up to five attacks in the last 12 months alone, 25-percent experienced 6 or more attacks. Moreover, 51-percent of those who took part in the study say they could recover from a successful ransomware attack within a day, while 39-percent estimate it will take more than one day to a few weeks to recover.

In a report published last month, Symantec says that the threat of ransomware is trending up, with almost 320,000 cases of detected and blocked ransomware attacks. That number is expected to top 470,000 before the year is finished.

The question is, if Symantec detected and blocked nearly 320,000 ransomware attempts, how many did they miss? That answer isn’t easy to come by, but consider this: On August 28, 2017, AppRiver detected 23 million (23,000,000) Locky ransomware messages in a single day.

“Locky ransomware authors are aware that it can be detected by a small set of conventional AV vendors, which is why they’ve decided to halt the infection procedure entirely if any of them is present,” said Omri Moyal, co-founder and VP of research at Minerva.

“Avoiding specific AV products helps Locky samples go undetected by the rest and stay under the radar for longer time,” Moyal added, explaining that this is because malware hashes are often shared between AV vendors.

If the organization isn’t prepared, ransomware attacks can be devastating. On Saturday at DerbyCon, a security conference held in Louisville, KY, one administrator shared his war stories in the hope that no one has to face a ransomware trial by fire.

Matthew Perry, a network administrator for a small law firm and co-founder of the Secure WV conference, has survived two different ransomware attacks, and the key to his survival was preparation.

The key to ransomware survival: Backups

In a small office such as his, a ransomware attack could cripple the business, as a law firm is mostly a word processing shop – something ransomware targets at even a basic level. In order to prepare for the worst-case scenario, Perry has backups. But more importantly, he tests them, and monitors them daily.

“Every morning when I come in, I have the window that the batch file ran in, because it’s still on my screen. So, I look at it, and I verify that it ran correctly and it looks about right,” Perry explained, talking about his process for verifying backups.

“The way the batch file works, is that it doesn’t make an image backup each night, it just backs up the new stuff. And I know what our workflow is, so if it backed up a hundred thousand files one day, then something’s wrong.”

For those who are curious, Perry shared a copy of the batch file script with Salted Hash. This script is altered as needed for when Perry needs to do versioning of his backups:

xcopy f:*.* e:backupfdrive*.* /d/e/y

xcopy T:timematters*.* e:backuptimematters*.* /d/e/h/y

pause

Aside from monitoring the backup jobs, Perry also has plenty of opportunity to test them. As mentioned, his office is a document processing shop and most of those documents are forms – so stuff isn’t written from scratch.

Users will often overwrite a file on accident, and come to him to restore it. When he does, he uses that as an opportunity to verify backups and verify the restoration.

Even if Perry’s office was larger, this process would still work. Normal workflow means he gets to test his backups once a week. Even then, he still goes in and pull things out just to test.

If Perry’s backups only target things that have changed on a user’s system, what happens if they’re infected? Will the backups overwrite good files with bad?

As it turns out, this was a problem he had to deal with during the second ransomware attack.

The ransomware had infected a local drive and jumped to other shared network drives. Perry isn’t sure of the infection order, but said that the ransomware jumped to the backup NAS first, and started encrypting it.

“What I learned from that is, I needed to have an online backup that wasn’t a shared drive,” Perry said.

As mentioned, Perry’s backups are done in layers. There’s a daily, a weekly, a second daily that isn’t on a shared drive, and then there’s the offsite backup. After the NAS incident, Perry installed drives on his personal workstation, which isn’t shared across the network. This allows him to have a backup at his desk that mirrors the NAS archives (the second daily), but only available to him.

“Unless I opened the ransomware, there’s no way that drive is going to get infected,” Perry said.

When it comes to scaling, Perry thinks his process will scale as needed for larger organizations. But it is important to remember that his backup solution was created to fit his needs, and the needs of the office where he works.

The important part is that no matter what backup solution is used in-house, it needs to be monitored and tested on a regular basis.

Surviving two ransomware attacks

The two ransomware attacks Perry faced came via email, and the second attack was clever one. During this second attack, the ransomware arrived and informed the victim the requested pictures were attached.

Now, the bad luck in this attack came in two stages.

The first stage is that the victim in this case was expecting images, and they were expecting them from a known contact. While coincidence, the ransomware email used the first name of the victim’s contact, and because the lure was an image, the victim didn’t hesitate when it came to opening the attachment.

The second stage of bad luck – as mentioned – is that the ransomware infected the NAS.

The first ransomware attack Perry had to contend with was discovered after he noticed something wrong with the backups. He went to the victim’s desk and checked-up on things and found them working like normal with the CryptoLocker notice on the screen. This situation led to an extensive awareness training campaign, and time spent explaining that he is only a call away and that no one will be punished for being infected by malware.

Awareness training

In addition to backups, the other thing Perry did to survive ransomware is focus on awareness training for his users. He uses trapped word documents, as well as basic phishing emails using a domain that is similar to the one his law firm uses, but is slightly off – a lookalike domain.

It took time, but eventually he’s reached a point where he is happy with the results of the tests he conducts.

Training is an ongoing process, so he and his staff are taking things one day at time. However, because he has a plan, Perry is confident that hopefully avoiding — or in the worst-case surviving — a third ransomware attack is an achievable goal.

Related video: Ransomware, Equifax, and Derbycon on Salted Hash

More on ransomware:

• The 5 biggest ransomware attacks of the last 5 years
• Who is a target for ransomware attacks?
• How to recover from a ransomware attack
• A Blue Team’s reference guide to dealing with Ransomware
• The fault for ransomware attacks lies with the challenges security teams face