ARN

You’ve been hit with ransomware. Now what?

When their data has been stolen, and is being held hostage, companies are increasingly caving in to cybercriminal demands for payment. Short of paying up, the best defense is a good offense.

Imagine waking up to an urgent 5 a.m. call: Something has taken over your corporate network and encrypted all of your data, and supposedly the only way to get it all back is to pay a significant sum to an anonymous third party using Bitcoin. While that scene might sound like something out of Hollywood, it is actually very real – and it’s exactly what several variants of ransomware are doing to organizations around the globe.

Two recent appearances of ransomware in the news demonstrate that it is a problem that is growing in both volume and significance, as larger and larger organizations, some critical to public and social services, are impacted by an outbreak:

  • The BBC reports that the Chino Valley Medical Center and Desert Valley hospital, in the state of California, were infected with ransomware. A spokesman for the owner of the medical center, Prime Healthcare Services, confirmed that there were some “significant disruptions of [the medical center’s] hospital systems.”
  • In a recent high-profile case, the Hollywood Presbyterian Medical Center declared an internal emergency after suffering on outbreak of ransomware. Ultimately, this hospital decided to ante up the required Bitcoin ransom payment, handing over $17,000 in order to get access to its computers. The original ransom demand was for $3.7 million in Bitcoins, so if nothing else, that is some decent negotiating on the part of the hospital.
  • A Kentucky medical center, Methodist Hospital, was recently infected by a ransomware attack. This time, the strain of the ransomware was confirmed: Locky, a newer variant of Cryptolocker, infiltrated the defenses of the medical center’s network and spread to the entire internal network as well as several other systems, according to the CNBC report. At the time of this writing, the ransom demand was for $1,600 for this particular hospital, and it was unclear if the hospital intended on paying the ransom. Another report in Ars Technica quotes the hospital’s attorney: “I think it’s our position that we’re not going to pay it unless we absolutely have to.”

[Related: 4 reasons not to pay up in a ransomware attack]

This stuff is insidious. Ransomware typically comes in as an email attachment, purporting to be an invoice or a shipment tracking document or something else seemingly innocuous. Once open, ransomware typically silently begins encrypting all of the files it can, without any user interaction or notification. It is only once its dastardly deed is done that it prompts the user with information about how much the ransom is, how to pay it and more.

It used to be that the first versions of Cryptolocker were not smart enough to go after data on network drives and only inflicted unwanted encryption on files stored locally to a machine. This could still be paralyzing in some instances, but for medium to large businesses who stored the majority of their data on network shared drives and SANs or NASes, this provided a level of relief.

That is sadly not the case anymore, because as the virus has grown more successful and more profitable to the writers, most of the ransomware variants can now traverse network drives and UNC paths, encrypting anything that they can actually touch and access with the level of permissions granted to the user account under which the malware is executing. The results, as you can tell from recent news reports about ransomware, can wreak havoc.

Strategies for dealing with ransomware

There are two basic solutions to the ransomware problem, one simple and one that will probably tear your team apart during the implementation. (Technically, there are three, but I don’t count actually paying the ransom as a solution because there are no blanket immunities offered in paying the ransom and surely the price will continue to increase as attacks and infestations become more successful.)

Regular and consistent backups along with tested and verified restores. The only way not to feel held hostage because of a ransomware attack is to have the next best viable alternative – to not pay it, because you have full and recent backups of all of your data that have also been tested through consistent, regular restore procedures to make sure that the backups actually worked.

Then, along with vigilant monitoring (many technologists report success with using file monitoring screening to detect large numbers of files being changed in sequence, especially if those files have not been touched otherwise in a while) and ensuring you have appropriate file and folder permissions set, you can simply detect an outbreak quickly and then restore any encrypted data from your backups. This way, you do not have to pay the ransom and the only data at risk of potential irreversible encryption is the data from initial infection to

Application whitelisting. Essentially the only way to definitively protect against a ransomware attack and invasion – or any other malware infestation for that matter – from even taking hold is to implement application whitelisting. Whitelisting involves computing checksums and other “digital fingerprints” for applications that you deem permitted to run on your systems, and then basically cutting everything else out and disallowing the code from executing at all.

Sounds great, right? No exploits can run if they are not already whitelisted, so not only does this approach protect you from current threats, but it also acts as a prophylactic for future malware as well – even though you would still do well to have edge and endpoint security, having a known good list of applications and then black-holing everything else would be a significant step up in security.

[Related: With few options, companies increasingly yield to ransomware demands]

Aye, but therein lies the rub: If you took the superset of all of the regularly used applications you have by all of your users as well as their varying versions and patch levels, you might very well have thousands of programs – and to use the built-in software whitelisting functions within Windows, you would need to create a signature for all of them. Every single one of them. There are various automated solutions available, but they all have a cost as well for the licensing as well as the administration time.

Finally, with whitelisting, there’s the user acceptance factor: your users won’t be able to download anything, including browser plugins, which you have not already allowed in advance. This includes even the most minor programs like PuTTY for secure shell tunneling over the internet using SSH, popular with your IT staff, or something like Notepad+, a great text editor many knowledge workers like to download to enhance quick notetaking. (Both of those programs are single executable files with no installation required and are portable between systems, meaning that they often find their way onto thumb drives or USB storage devices and are shared freely among coworkers.)

Are you and your IT team up for the massive effort not only to establish the initial set of whitelisted definitions but also to continually maintain them, even as new patches change digital signatures, new employees request new programs, and additional services come online? It would truly be a massive undertaking, but I call it the nuclear option simply because it is the most straightforward (not easiest; but most plainly simple) way of all but eliminating the threat of ransomware on your systems.