Broken Record Part Deux

From my morning reading, it appears that the U.S. Government has discovered that we are in a cyberwar. (WELL, DUH!!!, WHO WOULD HAVE THOUGHT THAT?) As operations and security practitioner for the last 30 years, I can say that we have been in a cyberwar for at least 35 of those years with all confidence. (Operations and security practitioner, what a fancy way to say, competent systems and network administrator.)

The latest flap is all about ransomware. First of all what is it?

From Wikipedia:

Ransomware is a type of malware from cryptovirology that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. While some simple ransomware may lock the system so that it is not difficult for a knowledgeable person to reverse, more advanced malware uses a technique called cryptoviral extortion. It encrypts the victim’s files, making them inaccessible, and demands a ransom payment to decrypt them. In a properly implemented cryptoviral extortion attack, recovering the files without the decryption key is an intractable problem – and difficult to trace digital currencies such as paysafecard or Bitcoin and other cryptocurrencies are used for the ransoms, making tracing and prosecuting the perpetrators difficult.

Ransomware attacks are typically carried out using a Trojan disguised as a legitimate file that the user is tricked into downloading or opening when it arrives as an email attachment. However, one high-profile example, the WannaCry worm, traveled automatically between computers without user interaction.

Starting from around 2012, the use of ransomware scams has grown internationally. There were 181.5 million ransomware attacks in the first six months of 2018. This record marks a 229% increase over this same time frame in 2017. In June 2014, vendor McAfee released data showing that it had collected more than double the number of ransomware samples that quarter than it had in the same quarter of the previous year. CryptoLocker was particularly successful, procuring an estimated US$3 million before it was taken down by authorities, and CryptoWall was estimated by the US Federal Bureau of Investigation (FBI) to have accrued over US$18 million by June 2015.

More to the point how do we protect against this?

The SINGLE MOST EFFECTIVE mitigation tactic is REGULAR BACKUPS and REGULAR TESTS OF THOSE BACKUPS. From my personal experience(s), I will also include RAPIDLY RESTORE said backups; it does no good to have backups that take more than 24 hours to restore. (One day without systems can have an annoying business impact, more than that can prove fatal to your business or your clients.) In my professional life, I back clients up locally and to the cloud (disk to disk to cloud) and have done performance tests yielding up to 3.4 Gb/s of restore performance. Make sure you have backups, and they are tested, and you can promptly put your systems back online.

Educate employees. Like other malware, ransomware often infects a system through email attachments, downloads, and web browsing. Organizations should conduct regular training to help employees avoid common malware pitfalls. Again drawing from my past experiences, users should NEVER bypass browser warnings. At one point, a known advertisement supplier was serving ads with links to malware sites. If the browser says, “DO YOU REALLY WANT TO DO THIS? You really don’t.)

Blocking attachments is an important step in reducing the attack surface. This is quite similar to the above but is a critical item, not just for ransomware. Ransomware is often delivered as some form of executable attachment: direct executables (e.g., .exe, .js, or anything else that can be executed), Microsoft Office files containing macros, .zip files that either contain executable files or are executable themselves (i.e., named .zip, but really .exe). Therefore, it is important to have an email security service to scan, filter, and quarantine possible bad attachments.

Robust filtering is one of the most important steps an organization can take. Logically, chances of an attack will be reduced if the browser will examine the IP-reputation of the website components. Remember that even IF a site has a good cert, items on a web page can come from MANY sources. I will suggest one of the many IP-reputation-based filtering systems that will filter DNS lookups and block access to known sites.

Removing local administrative rights can deter ransomware from running on a local system and prevent its spread by crippling the critical components of any ransomware attack: the power to change system files and directories and system registry and storage. The removal of local administrative rights also blocks access to any critical system resources and files that ransomware targets for encryption. (One should NEVER routinely operate as an all-powerful user. This avoids the “OOOPS” factor, much less blocking ransomware’s ability to function.)

I’ll close this missive with a few more oft repeated, and never heard comments:

  • Use 2FA.
  • Use unique passwords.
  • Never save credentials to a device.
  • Keep your anti-malware updated.
  • Keep your operating system patched.
  • Keep your mail client updated.
  • Keep your browser updated.
  • Do not open unexpected documents.
  • Do not open unexpected links.
  • Never ignore your AV, AS, or AM software’s warnings.
  • If it looks strange, IT IS…
  • YOU DID NOT WIN THE <REDACTED> NATIONAL LOTTERY
  • “FREE PUBLIC WIFI” is like an STD; it’s the gift that keeps giving.

Do visit one of the compromised data dump sites (one is https://haveibeenpwned.com) and check for your various email addresses.

And a final set of “Call to Action(s)”.

  • It is now hurricane season; when was your last disaster recovery test?
  • It is now summer; when was your server room ac last checked?
  • It is now summer; when did you last test your ups / generator?